More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating.

Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks.

Getting hacked impacts credit scoring

As per the Wall Street Journal (WSJ), credit-rating agencies are placing greater emphasis on how companies handle cyberattacks. Cybersecurity has now become part of the assessment of creditworthiness. S&P Global Ratings analysts have revealed that companies and government agencies affected by cyberattacks have been downgraded due to IT outages, as well as the financial impact of the attacks.

Moody’s Investors Service and Fitch Ratings have also highlighted the dangers of cyber risks. In the event of a cyberattack, some financial consequences may be immediately apparent. Others may take months to materialize and could impact an organization’s ability to repay its debts.

Real-world credit rating impact

Following the SolarWinds cyberattack in 2020, the company was downgraded by S&P from a B+ to a B rating. S&P’s associate director for corporate ratings, Minesh Shilotri, praised SolarWinds for its clear communication and speedy provision of security fixes to customers after the attack, as per the WSJ. However, the software company still suffered from the loss of clients and increased investment in security spending.

Even when companies work quickly to respond to cyberattacks, transparency and communication are vital. Credit rating agencies expect comprehensive details about any cyber incident. Any delay or ambiguity in communication could affect future creditworthiness.

Meanwhile, Chloe Pickett, S&P’s associate director for U.S. public finance ratings, revealed that the Princeton Community Hospital in West Virginia suffered a ransomware attack in 2017. The incident resulted in the center diverting ambulances for a month and losing a significant amount of revenue.

The Princeton Community Hospital attack was a contributing factor to S&P’s decision to downgrade the hospital’s rating from BBB+ to BBB in 2019. Along with the Covid-19 pandemic and the acquisition of a small nearby hospital, the cyberattack was also cited as a reason for S&P’s negative outlook in 2021. The disruption caused by the attack left the hospital in a weaker position to deal with other changes in its business.

World bank cybersecurity guidelines

The World Bank has also chimed in on the impact of cybersecurity and credit reporting. The World Bank’s Cybersecurity In Credit Reporting Guidelines states:

“Widespread cyber incidents can trigger lenders to curtail credit granting in response to fears of widespread frauds that could emanate from such data incidents. The resultant credit rationing can then impact on both aggregate demand by individuals and firms’ profitability.”

The credit reporting cyber ecosystem is experiencing a noteworthy transformation overall, as per the World Bank report. This is driven by changes in the credit reporting landscape. The entry of new data providers, the advent of novel technologies and the expansion of diverse data sets all impact how credit is evaluated worldwide.

As per the World Bank, security controls safeguard the confidentiality, integrity and availability of processed, stored and transmitted information. And these controls must adhere to a set of predefined security requirements.

The World Bank states that cybersecurity focus areas should include:

Steps to develop a cybersecurity and data privacy strategy

While the task may seem daunting, success remains in an organized effort to move forward. Some steps (adapted for this article) outlined by the World Bank report include:

  1. Prioritize critical assets: Create an IT asset inventory (data, physical devices, information systems and software) that support critical business processes. Identify the potential effect (financial, operational and reputational) on the organization if those assets are compromised. Assign a criticality rating to each asset.
  2. Understand the threats (threat intelligence): Identify threat actors (state-sponsored entity, organized crime, hacktivist, malicious insider, etc.) relevant to the organization. Rank them by capability and motivation to compromise critical assets.
  3. Assess current state: Conduct a candid assessment of current cyber capabilities and performance using an industry-recognized cyber framework (for example, NIST Cybersecurity Framework).
  4. Define the future state: Set the vision and long-term goals for the cybersecurity function, accounting for the organization’s strategic goals. These goals should set the course for the future of the organization’s cybersecurity.
  5. Create an implementation plan: Conduct a gap analysis between the current cyber capabilities and the desired future state. Identify initiatives that would help bridge the gap. Estimate the cost and level of effort for each initiative, and determine the security benefit each would provide. Create a list of initiatives in a multiyear timeline, assigning a high priority to those that provide favorable cost/benefit/effort ratios.
  6. Implement and track progress: Assign necessary resources to implement the security plan. Track key performance indicators and frequently report progress to senior management.

Cybersecurity strategy is business strategy

More than ever, the impact of cyber risk continues to penetrate core business decision-making. Given the risks, regulatory bodies and credit agencies will likely become more proactive in their assessments. It won’t be enough to report only when a breach occurs. The World Bank mentioned “predefined security requirements”. This could mean that organizations will increasingly demand compliance when it comes to security evaluation.

Legislation such as DFARS (Defense Federal Acquisition Regulation Supplement), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and ISO standards already have established cybersecurity compliance requirements. Similar measures may become required in the future to gain favorable credit ratings.

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today