“For corporate borrowers, as well as Standard & Poor’s Ratings Services’ assessment of credit quality, cyber risk is a growing source of concern, given the increasing frequency of reported incidents,” says a new analysis report from S&P – “Cyber Risk And Corporate Credit.”
The report lists a number of the most recent corporate targets that have been hacked. It includes “large retailers (Home Depot, Target, Sony), banks (JPMorgan Chase, Citibank), and health insurers (Anthem, Premera Blue Cross). Clearly, no entity is safe and Standard & Poor’s today published a series of articles discussing the risks from a credit perspective across a number of industries and sectors.”
From a ratings standpoint S&P said that “post-attack reparations pose the greatest risk to credit quality in our view, although they have been modest so far. Business disruption, adverse legal outcomes, and loss of reputation are among myriad potential consequences.
“The most likely adverse ratings impact would stem from an attack weakening a target company’s business profile, most likely in terms of future revenue and profitability, and by causing deterioration in credit metrics.
“For individual companies, effective response plans, which we evaluate as part of corporate governance and enterprise risk management, may be the best differentiator, as we noted in our report.”
S&P said, however, that its research among corporate issuers has concluded that “the fear of becoming the focus of an attack may limit disclosures. Furthermore, given the unique cyber risk profile, we think it is better assessed as a form of event risk. In the meantime, the most transparent factors that we can seek to understand are the impact on cash flow from costs of security measures, insurance premiums, risk preparedness, disclosure requirements, and financial aftermath following successful attacks.”
Gareth Williams, a corporate economist at S&P noted: “We understand that companies may wish to be discreet about the measures they have adopted, given that a statement of strength might be seen as a provocation and incentive to cyber criminals, but for certain sectors a board-level focus on complex and technical cyber issues may become necessary.”
Meanwhile, S&P indicated that “among the financial services companies we rate, the many successful cyber-attacks haven’t yet resulted in any changes to our ratings. At the same time, we believe cyber threats could soon pose a higher credit risk to the industry, as we stated in – ‘U.S. Financial Services Credit Ratings Are Resilient To Cyber Security–For Now’ – also published today.”
S&P’s bulletin added, however, that “it’s not difficult to envision scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate) would result in significant economic impacts, business interruption, theft, or damage to reputation. In this report, we discuss the key questions we are asking management teams and our observed best practices as we start evaluating cyber risk in the context of management governance and enterprise risk management.”
Turning to the implications of cyber-attacks for the re/insurance industry, S&P explained that although insurers are “eager to jump on the cyber insurance bandwagon, a number of stumbling blocks exist, as we noted in our report published today entitled – ‘Looking Before They Leap: U.S. Insurers Dip Their Toes In The Cyber-Risk Pool.’
“Among them is a lack of actuarial data and reliable modeling, which makes effective quantification and pricing of this risk a challenge. Further clouding this picture is a lack of disclosure by the insured. As noted in our report on corporate entities, this may be to prevent them from becoming a target of hackers, or it may be due to a limited awareness of vulnerabilities or compromised systems.”
Credit analyst Tracy Dolin said: “The market is largely fluid as demand is increasing, newer entrants are scratching the surface, and the risk itself is evolving. Although this market is immature at the moment, there is still value to be found if insurers properly underwrite risk.”
S&P indicated that for the present “offering cyber-risk protection is unlikely to impair an insurer’s financial strength, as even the largest players have exhibited a prudent approach in offering protection with low limits and numerous policy exclusions. However, we could take rating actions if insurers exhibit excessive growth, poor underwriting standards, or insufficient risk management.”
There remains, however, the “potential for systemic risk.” S&P’s Chief Information Officer Thomas Bayer explained that “when perpetrators attack an industry, they attack everybody–so weaknesses are widespread.”
Technological growth, and its increasingly widespread use and sophistication also present problems. S&P said: “Interconnectivity is evident as organizations depend on third parties such as their Internet service providers, cloud providers, backup data centers, and software providers, all of which could inadvertently cause business interruption or privacy violations.
“To put this in context, cyber-attacks cost the global economy more than $400 billion annually according to one estimate, and the U.S. Homeland Security’s Cyber Emergency Response Team last year responded to 245 incidents–one-third of which were in the energy sector, and about one-quarter in what is categorized as critical manufacturing.”
S&P appended its standard caution, noting that “under its procedures “only a rating committee can determine a credit rating action (including a credit rating change, affirmation or withdrawal, rating outlook change, or CreditWatch action). This commentary and its subject matter have not been the subject of rating committee action and should not be interpreted as a change to, or affirmation of, a credit rating or rating outlook.”
Source: Standard & Poor’s