Cyber attack
iStockphoto/Sashkinw

Cyberattacks typically haven’t had much impact on credit quality, but the rising number and severity of attacks could change that, says Moody’s Ratings.

“The rising number and sophistication of cyberattacks is increasingly eroding creditworthiness,” the rating agency said in a report. “As attack severity intensifies, costs increase, digitalization broadens, and new technologies such as generative AI and quantum computing emerge, the potential for adverse credit effects is rising.”

The fallout from such incidents can reduce firms’ revenues, increase costs and lead to regulatory and legal sanctions.

“Revenue flows can be disrupted by business outages, loss of customers, or theft of intellectual property,” the report said. “Business disruption costs dwarf other categories of costs.”

According to a study of cyber insurance claims, business interruption costs represented 72% of the total cost of cybersecurity incidents on average for firms with at least US$2 billion in annual revenue.

Ransomware payments are the next biggest expense, the report noted, although these costs are not typically excessive — by design.

“Cybercriminals often set their ransom amounts according to the issuers’ revenues and cyber insurance provisions,” the report said. “The attackers know that organizations are highly unlikely to pay a ransom that would cause significant financial strain, so they use the stolen data to calibrate their ransom demands.”

Also, the targets of these kinds of attacks often negotiate the ransom to manageable levels.

The other common costs of cyberattacks include reputational damage and intellectual property theft, which Moody’s said “are harder to measure but can also be significant.”

At the same time, the financial impact of attacks can include remediation costs, regulatory fines and legal settlements, the report said: “In the immediate aftermath of an attack, liquidity may become strained and debt may increase as issuers respond to costs incurred as a result of the cyber incident. Later, regulatory fines and legal settlements can weigh on profitability and cash flow.”

While strong cybersecurity is costly, these kinds of investments “can significantly reduce the likelihood, severity and costs of cyber incidents,” the report said.