Cyber risk is gradually becoming an issue among rating analysts. But how exactly does it affect the continued sustainability of a company? Or put differently: Why should a cyber-attack affect the credit worthiness of a company?
Considering the fact that we now work within a digitalised world, it means the whole existence of a company could be threatened by a Ransomware attack.
Credit Raters now view material cyber threats in a similar vein as other extraordinary event risks such as natural disaster with subsequent credit impact based on the duration and severity of the event.
Even though the risk of cyber-attacks is yet to be mainstreamed as a principal rating driver, credit analysts have started incorporating numerous stress testing scenarios such as cyber-attack as part of what could trigger an event risk.
Event risk is defined as the possibility that an unforeseen event could negatively affect a company, industry or security leading to a loss to investors or other stakeholders.
Unforeseen corporate reorganisation or bond buybacks may have a positive or negative impact on the market price of a stock. Companies also face event risk from the possibility of the CEO dying suddenly, an essential product being recalled, or the company coming under investigation for suspected wrongdoing.
Therefore, an event risk could occur when a digital company fails to incorporate appropriate cyber risk mitigation strategies into its enterprise risk management system.
Cybersecurity or Information Technology security is a fundamental aspect and practice that should be present in every organisation. It is the practice of protecting critical systems, networks and sensitive information from digital attacks. Cybersecurity measures are designed by entities to fight against threats posed on network systems and applications, whether those threats originate internally or externally.
Weak cybersecurity defenses could cause harm to a company’s credit rating, even before the actual attack. Especially, in the world we live in today, where cyberattacks and data breaches are growing bigger and becoming recurrent.
Analysts recommend that as part of strategies/controls in mitigating against risk, companies should embed cyber security to reduce their vulnerability to cyberattacks. In a situation where a credit agency from its review concludes that a company is highly vulnerable to cyberattacks, this could result in a lower rating being issued.
When a company suffers a cyberattack, it can affect several elements of its credit score. Elements such as a company’s liquidity position, cash flow/leverage, reputation/competitive position and ESG assessment should be considered among others. All these interrupt the business and make the risk to an organisation’s credit rating higher.