Impact of Cybersecurity Risk on Corporate Creditworthiness
GICP Expert View / 24 January, 2023
Excerpt from the Global Credit Certificate, Chapter 19: Trends in New Technologies and Their Impact on Credit
For a credit analyst to get a complete picture of cyber risk of a company, they must know and understand the data gathered and used by the company, how and where else it is used and processed and the security arrangements that exist. They must also determine how often things should be backed up for optimal cost efficiency and operational resiliency. An often-cited critical data backup rule is the 3-2-1 rule, i.e. that for all critical data there should be at least 3 backups, on 2 two different media, with one being off site.
Every cyber event is unique and has to be determined on its own merits what, if any, impact it will have on creditworthiness. Cyber risks can have both a financial and non-financial impact. Often financial impacts are not fully known at the time of the incident as several costs including fines, forensic analysis, restoration, the purchase of new hardware and/or software, and lawsuits are unknown. Further, while it is easier to quantify daily lost revenues it is usually unclear for how many days the systems will be fully or partially shut down.
It is possible that insurance, specifically cyber insurance and business interruption insurance may defray portions of the economic impact. Cyber insurance varies greatly by region and company, but the underlying premise is that an insurance company will provide some level of benefit if the company suffers an economic loss from a cyber-event. As cyber losses are increasing, insurance premiums, deductibles, and policy benefits are volatile.
Whilst business interruption costs may be reasonably quantifiable, other non-financial affects may be less certain at the time a cyber-event is announced, such as potential reputational damage. Such non-financial impacts can have a bigger effect on creditworthiness, if the cyber credit event is determined to come from poorly managed corporate governance or if the incident response plan is poorly executed.
A quick way to determine if a cyber-event may impact the creditworthiness of an issuer is to approach the problem from the perspective of how big would the loss have to impact the issuer's credit worthiness and then determine how likely a loss of that size is to occur based on historically significant credit events to the issuer and peers, capital, and earnings.
To date, cyber incidents have not significantly affected company credit assessments, but as cyber threats increase, along with regulatory fines for failing to adhere to minimum thresholds of cybersecurity, it is plausible a cyber-event could have a significant future effect. Potentially, a cyber-event at a company could, in the extreme, cause a company to become bankrupt. This underscores the potential severity of a cyber-event and the importance of mitigating any potential incidents. It is also important to note that past incidents are not necessarily indicative of future events in terms of both frequency and severity.
Ultimately, capital serves as the buffer over liabilities to catch any potential shortfalls in risk mitigations. It is also worth mentioning, that extra capital also buffers shortfalls in assets, and unknown risks, as well as understated liabilities. Therefore, it is important that more capital is held for risks that are harder to quantify and for losses where frequency is difficult to predict.
Assessing the cybersecurity of a credit on public information alone is difficult. Companies face a similar challenge when assessing vendors and suppliers. Companies are loathed to publicly disclose information about their cybersecurity posture for fear that this information could be used to thwart their systems.
The primary issues that an analyst can consider to get a glimpse into a company's exposure to cybersecurity risks and its cybersecurity arrangements are:
- Cyber laws and customer welfare: the analyst should check to see if the company is subject to any laws or regulations regarding cybersecurity. If the company is subject to a law or regulation the analyst should review financial statements detailing if the company is in compliance with these laws and regulations. A credit analyst should review the laws and regulations to see what the issuer is doing, if they are claiming compliance.
- Operational resilience: the analyst can assess the operational resilience of the business to cyber-events.
- Governance and board experience: the analyst can review whether members of the board of directors and company executives have a background in cyber expertise. If the company has a chief information security officer (CISO) the credit professional should research the CISO's previous work experience and background to get a sense of how previous experiences could influence the current company's cyber hygiene. In addition, if the company had a cyber-incident the analyst should review what happened, how the company responded, and what has been done to prevent it from reoccurring.
- Other vulnerability assessment tools: the analyst can call on the assistance of other available vulnerability assessment tools.