On May 23, 2019, Equifax became the first company ever to have its outlook downgraded due to cybersecurity concerns by Moody’s. The 2017 compromise of sensitive data on nearly half the population of the United States has resulted in both turmoil for Equifax and learnings for the cybersecurity community. Two years after the mega-breach, we are now presented with a new measure of business health. Lawmakers, CEOs, and credit rating agencies have rushed to pass laws, develop processes, and focus public relations activity on addressing the various types of damage and fallout that have accompanied the massive breach. The evaluation standards, penalties, and regulatory measures that are developing out of the aftermath are informing professionals on the best path forward following breaches of this size and impact.

In this post, we will discuss the reasons for Equifax’s outlook downgrade from stable to negative and possible future credit rating downgrade by Moody’s Investor Service. We will also take a look at the impact it will have on the future evaluation of companies by investors, and the involvement of CEOs and board members in information security, as cyber risk is rightfully and increasingly seen as a business risk.


In September 2017, Equifax announced that it had suffered a mega-breach that translated to almost half the population of the U.S. having their Social Security numbers, driver’s license numbers, information from credit disputes, and other “lifetime data” stolen by an unknown actor. Immediately in 2017, Standard and Poors downgraded Equifax’s outlook to negative from stable, publishing a report that said Equifax’s “negative outlook reflects significant uncertainty surrounding the impact of the recent cybersecurity incident.” Credit rating agencies had not dealt with a data breach of this magnitude, and Equifax was expected to settle its litigation, successfully remediate the attack, and mitigate the impact to its core business before returning to business as usual. Standard and Poors announced no plans to determine credit rating by estimating the risk of a cyber attack.

Then in 2018, Equifax announced two revisions to their initial data-breach disclosure. There were about 2.4 million more records exposed than previously believed, and the hackers had also stolen additional data from the total 148 million records compromised. Several months later, Moody’s announced that they would begin analyzing the risk of cyber-attacks and business impacting data-breaches as an indicator of creditworthiness. Throughout the two years since the mega-breach, the U.S. government has called the event completely preventable, imposed new regulations on credit rating agencies, published reports, and held Senate hearings addressing Equifax’s information security failures. Investigators are suspecting the breach could have been an act of espionage by a foreign nation attacking Equifax for information it plans to use to compromise U.S. citizens potentially.


Almost a year after Moody’s initial announcement, about building the risk of business-ending hacks into their credit ratings, and two years after the breach, Equifax has become the first company ever to have its outlook downgraded by Moody’s due to cybersecurity concerns. For years Moody’s has warned that cyber issues like a “meaningful breach” could result in a downgrade, planning to incorporate cyber risk into its existing credit ratings and considering a stand-alone cyber risk rating for the future.

In Equifax’s case, Moody’s noted the firm’s necessary cybersecurity investments and the threat they pose to the financial health of the company, citing $690 million paid out in the first quarter of this year, which is comprised of ongoing class action lawsuits and potential regulatory fines. The credit rating firm went on to say that they expect Equifax’s free cash flow and profit to be negatively impacted for the foreseeable future, with Equifax projected to spend about $400 Million in 2019 and 2020 on cybersecurity expenses and investments.


It is not yet clear if consumers and corporations should expect quick responses to and punishments for ignored cybersecurity concerns and data breaches. What is clear is the shift towards cybersecurity “readiness” and potential for breach as essential measures of business health and the strength of consequences post-incident.

For data-sensitive industries, the Equifax outlook downgrade adds yet another layer of concern following a cybersecurity incident. Moody’s has announced that it is building cyber risk into its credit ratings and, though they have remained silent on details, financial and securities firms, hospitals, market infra