Moody’s looks at the event risk and the impact of cyber incidents on organizations
For some time now, information security professionals have been discussing how a company’s stock price can be affected by an information security incident. The idea is that, for many, doing business with an organization that was unable to repel an information security incident was reprehensible and, as a result, there would be mass desertion of customers. Once customers understood that their privacy was exposed, they’d no longer frequent these businesses and, consequently, the company’s financials would be impacted. This impact would manifest itself in tangible ways, such as stock price, and the result would be a reputational impact so large that the company would falter. By and large, this has not happened.
The effect of mandatory breach notifications has been that we are all much more aware of how often breaches happen. Some have even gone so far as to dub this “breach fatigue.” Offering customers credit monitoring and promising to “take it seriously” have become de rigueur. In fact, many customers have multiple credit monitoring services running simultaneously because of their data being lost by different companies at the same time. Research abounds that discusses the cognitive dissonance associated with individuals saying that the privacy of their data matters a lot, yet people will voluntary disclose voluminous amounts of information about themselves for very little in the way of compensation or even promises to protect it. So, too, does research show that breaches have little and short-term impact on stock prices.
This desire to see the impact of the breach on an organization is driven by best intentions: The idea is that with these kinds of pains, good security behaviors will be enacted to prevent poor outcomes. That is happening, although perhaps not the way that security professionals have envisioned. Moody’s has released some research that shows that cyber incidents can be shown to impact an organization’s financial profile and business prospects. The firm discusses this in the context of what is called event risk.
Investors like companies to have a good line of sight into major events and share them with investors long before they happen (along with plans on how they will manage through these events). Sometimes events occur for which an organization has not prepared adequately, either emotionally and financially. When this occurs, the market responds negatively. This can include things within the firm such as the sudden resignation of a CEO or can be industrywide, such as a worldwide financial crisis (such as what occurred in 2008). We are also starting to see evidence that certain types of cyber incidents can also cause event risk for a firm.
For example, the Moody’s report focused on two areas: business disruption and reputational impacts. As organizations continue their digital transformation journeys, more and more of their operations will be dependent upon technology and, therefore, subject to availability outages. If malicious or erroneous cyber incidents prevent an organization or its suppliers from satisfying customer demand, there could be massive disruptions in commerce sufficient to affect organizational revenue and the reputation of the firm. A less concrete link exists between those confidentiality-impacted incidents and reputational harm, as indicated above. Customers yet have not seen fit to desert companies in mass quantities post-data breach for a long enough period to have a lasting impact. As a result, regulators have stepped up the financial penalties to exact harm on customers’ behalf. These economic externalities are important motivators for organizations to conduct themselves in the best possible manner long before an incident occurs.
We are also seeing greater insight into how the investor community is thinking about large-scale breaches through the Equifax case. Recently, Moody’s downgraded Equifax as a response to its 2017 breach. However, it’s important to note that this downgrade is not simply because the company was breached. No, Moody’s is being consistent with its event risk research. In addition to settling claims for $700 million, Equifax is increasing its information security spending in response to the breach for a total of $1.25 billion. As a result, there is expected to be a long-term impact on the organization’s expenses. All of this was unexpected; as such, event risk kicks in and the credit rating has been impacted.
We can speculate about how the credit market would respond to a well-communicated, multiyear, billion-dollar increase in cyber spend pre-security incident (probably similar to this response to Equifax). However, what is known is that it appears that increased security spending, in general, is viewed negatively—at least when it is large, unexpected and in response to specific stimuli.
Perhaps with this kind of incident as prologue, other organizations can rationalize to investors that increases in cybersecurity capital expenditures and operating expenses are loss-avoidance strategies. Indeed, many organizations are using cyber risk quantification (CRQ) to justify cybersecurity expenses without a large breach to which they can point. CRQ is an approach to risk allocation that applies practical, yet still, actuarial-quality methods to potential information security events to show possible losses for events such as the one experienced by Equifax. One popular model for CRQ is FAIR (Factor Analysis of Information Risk), which currently has representation across 30% of the Fortune 1000 companies. If you are trying to determine how Moody’s might treat cyber event risk for your firm, CRQ and models such as FAIR can assist you in identifying the economic impact of just such a ratings adjustment.