Fallout from Equifax’s 2017 data breach continues to impact the company even years later. Moody’s Investor Service, a bond credit rating business, lowered Equifax’s rating outlook from stable to negative, which indicates a higher likelihood of a rating change over the medium term. While ratings outlooks are nothing new, it is significant that a data breach and the consequences of such are a contributing factor to the rating outlook.
We’re seeing now that data breaches and other cyberattacks are not just affecting a company’s customers and perception, it also now can affect a company’s future profitability. Ian Thornton-Trump, head of security at AmTrust Europe, summarized the phenomenon: “It becomes unknown territory when it’s so high-profile and the bad news continues to hit. If getting loans and selling bonds to get through the crisis is more difficult, your long-term prospects are pretty bleak and your customers will be fleeing.”
While it may be too late for Equifax to reverse the damage and prevent an official rating downgrade, it’s a bellwether for businesses to get serious about cybersecurity. Seven months before Equifax’s outlook downgrade, Moody’s announced it would be evaluating organizations on their risk of a major impact from a cyberattack. The company even appointed its former chief information security officer (CISO), Derek Valdala, to become head of Moody’s new cyber risk group. “The demand for quantifying risk will increase as attacks move from fairly benign to those that could break down a business entirely,” said Valdala.
External Threats: Not the Only Risks Affecting Profitability
Malware, DDoS, phishing and other external-based cyberattacks are becoming extremely sophisticated, which is why Moody’s is taking cybersecurity threats seriously and signaling companies to do the same. Eventually, the company plans on having a standalone cyber-risk rating system, perpetuating the idea that companies should be on alert about their cybersecurity issues affecting them both externally and internally.
Internal-based cyberattacks are just as serious as external, but they don’t get much airtime due to the lack of public communication about them. In fact, Ipswitch reported that nearly 75% of data breaches are due to threats within the company. It makes sense, though: Employees and contracted vendors most likely have access to multiple ERP systems, applications and data storage platforms without stringent restrictions or access controls in place. In one such case, an employee from ING managed to embezzle $8.5 million by using another’s password to sign checks he initially wrote and then approved himself.
It’s not common for insiders to willfully take advantage of cybersecurity issues. However, even the best, most trustworthy employees and vendors don’t always need to have complete access to company data, as human error is often a cause of data breaches—84%, according to Computer Weekly.
The Bottom Line for Your Bottom Line
Moody’s isn’t the only organization stressing the financial impact of maintaining stringent cybersecurity measures. The U.S. Securities and Exchange Commission (SEC) issued a statement in 2018 that it would focus on “maintaining comprehensive policies and procedures related to cybersecurity risks and incidents” for public companies. True to its word, the SEC later charged a company with deficient cybersecurity procedures after a data breach comprised the personal information of its customers. The company ended up settling with the SEC for $1 million, not to mention the reputational costs and business costs to ensure a breach doesn’t happen again.
The bottom line is that forgoing cybersecurity plans, procedures, tests and investments inevitably will affect your company’s bottom line. Public and private companies alike should be concerned with Moody’s outlook downgrade for Equifax. You can assume that other credit rating agencies, VCs, investors and banks also will start to consider cybersecurity risk into their assessment of profitability.
No longer should companies rely on the trust of their employees to do good or luck that hackers may not target or successfully penetrate their defenses. While there are no guarantees that a data breach can’t happen, having a strategy that covers all the bases, from asset recovery to proper disclosure, is a good start.