On May 23, 2019 Equifax became the first company ever to have its outlook downgraded due to cybersecurity concerns by Moody’s. The 2017 compromise of sensitive data on nearly half the population of the United States has resulted in both turmoil for Equifax and learnings for the cybersecurity community. Two years after the mega-breach, we are now presented with a new measure of business health. Lawmakers, CEOs, and credit rating agencies have rushed to pass laws, develop processes, and focus public relations activity to address the various types of damage and fallout that have accompanied the massive breach. The evaluation standards, penalties, and regulatory measures that are developing out of the aftermath are informing professionals on the best path forward following breaches of this size and impact.
In this post, we will discuss the reasons for Equifax’s outlook downgrade from stable to negative and possible future credit rating downgrade by Moody’s Investor Service. We will also take a look at the impact it will have on the future evaluation of companies by investors, and the involvement of CEOs and board members in information security, as cyber risk is rightfully and increasingly seen as a business risk.
In September 2017, Equifax announced that it had suffered a mega-breach that translated to almost half the population of the U.S. having their Social Security numbers, driver’s license numbers, information from credit disputes, and other “lifetime data” stolen by an unknown actor. Immediately in 2017, Standard and Poors downgraded Equifax’s outlook to negative from stable, publishing a report that said Equifax’s “negative outlook reflects significant uncertainty surrounding the impact of the recent cybersecurity incident.” Credit rating agencies had not dealt with a data-breach of this magnitude and Equifax was expected to settle its litigation, successfully remediate the attack, and mitigate the impact to its core business before returning to business as usual. Standard and Poors announced no plans to determine credit rating by estimating the risk of a cyber attack.
Then in 2018, Equifax announced two revisions to their initial data-breach disclosure. There were about 2.4 million more records exposed than previously believed and the hackers had also stolen additional data from the total 148 million records compromised. Several months later, Moody’s announced that they would begin analyzing the risk of cyber attacks and business impacting data-breaches as an indicator of creditworthiness. Throughout the two years since the mega-breach, the U.S. government has called the event completely preventable, imposed new regulations on credit rating agencies, published reports, and held Senate hearings addressing Equifax’s information security failures. Investigators are suspecting the breach could have been an act of espionage by a foreign nation attacking Equifax for information it plans to use to potentially compromise U.S. citizens.
What’s happening now
Now, almost a year after Moody’s initial announcement that they would begin building the risk of business-ending hacks into their credit ratings and 2 years after the breach, Equifax has become the first company ever to have its outlook downgraded by Moody’s due to cybersecurity concerns. For years Moody’s has warned that cyber issues like a “meaningful breach” could result in a downgrade, planning to incorporate cyber risk into its existing credit ratings and considering a stand-alone cyber risk rating for the future.
In Equifax’s case, Moody’s noted the firm’s necessary cybersecurity investments and the threat they pose to the financial health of the company; citing $690 million paid out in the first quarter of this year, which is comprised of ongoing class action lawsuits and potential regulatory fines. The credit rating firm went on to say that they expect Equifax’s free cash flow and profit to be negatively impacted for the foreseeable future, with Equifax projected to spend about $400 Million in 2019 and 2020 on cybersecurity expenses and investments.
Damage to reputation, negative outlook, and now the threat of credit downgrade?
It is not yet clear if consumers and corporations should expect quick responses to and punishments for ignored cybersecurity concerns and data breaches. What is clear is the shift towards regarding cybersecurity “readiness” and potential for breach as important measures of business health and the strength of consequences post incident.
For data-sensitive industries, the Equifax outlook downgrade adds yet another layer of concern following a cybersecurity incident. Moody’s has announced that it is building cyber risk into its credit ratings and, though they have remained silent on details, financial and securities firms, hospitals, market infrastructure providers, and electric utilities are most at risk of cyber attack. These industries could be subject to higher insurance premiums or could receive less funding because of the perception of increased risk to investors. This move forces CEOs and board members to become more active in managing cybersecurity risks as they now pose a risk to the survival of their companies.
The inclusion of breach risk or risk of a “business-ending (cyber) event” as a factor of a corporation’s outlook and creditworthiness are far-reaching and varied, as credit rating agencies are not alone when establishing policies and assessing company value. The insurance industry will surely follow suit and begin to include the possibility or likelihood of a breach or “business-ending (cyber) event” in its calculations of overall risk.
Cyber risk is a business risk
Following the Equifax mega-breach, the cybersecurity “readiness” of an organization is being called into question when determining its value. CEOs, boards, and investors are now being presented with tangible consequences of data-breach that have a measurable financial impact. As cyber risk is becoming seen as integral to business risk, an assessment of a company’s resilience to attack and risk of breach will become standard.
Minimize your cybersecurity risk by employing a proactive solution like Terbium Labs’ Matchlight, which constantly monitors the dark web for the sensitive information your company cares most about. To learn how Matchlight can help your organization proactively address data breaches and leaks visit our resources page or contact us today.