For the first time ever, a company has had its ratings outlook downgraded on the basis of cybersecurity concerns. In late May, ratings firm Moody’s surprised Wall Street when it downgraded the ratings outlook for Equifax, which was the target of a massive data breach in 2017 that impacted nearly 150 million people, from “stable” to “negative.” Moody’s cited two major factors in the Equifax downgrade – escalating litigation and regulatory costs related to the 2017 data breach, and the company’s decision to ramp up its future spending on cybersecurity spending over the next two years. Combined, these two factors will continue to hurt both the profitability of Equifax and its free cash flow, thereby dragging down the financial strength of the company.
Reasons for the Equifax downgrade
On the surface, the Equifax downgrade may appear to be unfairly punishing a company for an event that happened nearly two years ago. However, a 2018 U.S> Congressional investigation into the cyber attack found that the data breach was “entirely preventable.” In addition, Equifax appeared to be woefully unprepared for such a cyber attack. The full Congressional report cited “a lack of accountability and management structure,” “complex and outdated IT systems,” a “failure to implement responsible security measures,” and an inability to respond to affected consumers. In other words, Equifax was a disaster waiting to happen.
As might be expected the size and severity of the Equifax data breach, class action lawsuits soon followed, as did the threat of stiff regulatory penalties at the state and federal level. To this day, Equifax is still reeling from the impact of the 2017 data breach. In the first quarter of the year, the company posted a $690 million charge to cover cost related to settling ongoing class action lawsuits, investigations, and potential federal and state regulatory penalties. And that might not be the end of the damage: when Equifax’s lawyers tried to get an Atlanta judge to dismiss future class action lawsuits, the request was denied. So it’s not out of the question to expect higher cybersecurity costs in the near future.
Moreover, given the glaring weaknesses in Equifax’s cyber defenses and potential for even more data breaches, the company is being forced to spend aggressively on cyber infrastructure over the next 24 months. In 2019 and 2020, the company expects to spend nearly $400 million on cyber infrastructure upgrades, Moody’s told CNBC. That’s more than twice what the company originally projected to spend on shoring up its cyber defenses. Moreover, the company’s baseline spending on cybersecurity will ramp up to $250 million 2021 and beyond. As Moody’s noted in its commentary about the Equifax downgrade, the fallout from the data breach – measured purely in financial terms – was more than enough to “move the needle” and trigger the ratings outlook downgrade.
Laurence Pitt, Strategic Security Director at Juniper Networks, commented on Moody’s decision to downgrade the outlook for Equifax: “A stock downgrade following a cyber attack is not a surprise; in fact, it cements what we have been saying for a long time. Cybersecurity is a boardroom issue. Think about it – everyone is in business with a single goal, which is to make money. This includes the bad guys except that they want to make their money by preventing someone else from doing the same. When calculating cyber risk for insurance or investment reasons a modern enterprise needs to consider brand, reputation and fiscal impact as highly as the cost incurred in the mitigation of an attack. Unless they give equal view to all areas, then cyber could finish up under invested which equals risk.”
A message for other data-centric companies
What made the security lapses at Equifax so glaring was the very nature of the company’s business model: the company exists solely on the basis of collecting, analyzing and distributing extremely sensitive personal data. Surely, someone in the C-suite would have demanded the very best industrial-grade cyber defenses to protect all that valuable data, right? As you might have guessed by now, the answer to that question is a resounding “NO.” The data breach back in 2017 eventually led to the ouster of both the CEO and the CISO, and a call for much greater accountability within Equifax’s senior management ranks.
As Moody’s hinted in its note about the Equifax downgrade, it is highly unlikely that Equifax will be the last company to get a ratings outlook downgrade as the result of a data breach, or the last time that cyber risk will be cited as a factor in an outlook. A number of industries that rely on personal data – including the financial services industry, healthcare industry and securities industry – are all at risk from a major cyber attack. This leads us to expect similar events to the Equifax downgrade. And, indeed, Moody’s also noted that it is working on a way to build cyber risk into its overall credit ratings methodology. This virtually guarantees that cybersecurity costs will continue to be a factor in ratings.
Importantly, however, Moody’s did not downgrade the credit quality of the company’s debt. Equifax debt is still “investment grade,” which means that large institutional investors are still able to buy and trade the debt, despite the Equifax downgrade. A credit downgrade, unlike a ratings downgrade, would have dramatically raised the cost of borrowing money for Equifax and really called into question the viability of the company as a going concern. A negative ratings outlook, in contrast, is more of a warning signal to Wall Street investors that they should spend more time analyzing the company’s overall financial condition.
Cyber security and boards of directors
One big impact of the Equifax downgrade will likely be more board-level attention on cyber issues. In the past, the board of directors of a company might have felt comfortable ignoring cyber issues, or simply asking a few routine questions of the CISO (Chief Information Security Officer) every quarter. Now, however, boards will likely want to get deeper into issues like cyber resiliency, cyber security, and cyber risk management. By not doing so, they could find themselves legally liable and expose their company to regulatory fines or penalties.
Another possible impact of the Equifax downgrade will be greater attention and consideration of cyber insurance risk products. Just as companies can buy insurance coverage for almost every imaginable negative scenario, they now are able to buy cyber risk insurance to protect themselves in the event of a major cyber breach. In the case of Equifax, having a cyber risk insurance policy in place might have made significantly mitigated the costs of class action litigation, and might have even prevented the Equifax downgrade.
Catherine A. Allen, Chairman and CEO of The Santa Fe Group, says that we should expect continued elevation of cyber security as a boardroom issue: “This is a wake up call, along with pending suits, that cyber governance and best practices are key. Boards should have robust discussion on cyber practices, appropriate spending, risk or security committees and appropriate oversight. The patching issue with Equifax is an example of a lack of oversight and discussion.”
George Wrenn, Founder and CEO of CyberSaint Security, agrees with the need to involve boards of directors in any discussion of cyber risk: “Especially in recent years, Boards of Directors must understand their riskiest assets and business endeavors from a cybersecurity risk management perspective. The CEO needs to be able to effectively communicate with metrics that those at the Board level can understand, effectively coupling both quantitative and qualitative risk and compliance analysis facilitated by concise, data-driven, and clear reporting structures. Large organizations are beginning to come up the curve on these ideas, and Boards are beginning to hold CEOs responsible for cybersecurity risk levels within their business. This shift means that CISOs and CEOs must work more closely together, and CISOs need a reporting mechanism to the CEO that takes cybersecurity risk and translates it to business terms that both the CEO and the Board can get behind and act upon.”
So where do we go from here? As cyber security analysts point out, the Equifax downgrade should be a clear signal that massive data breaches have not only a negative reputational effect, but also a very real financial cost. This financial cost can now be measured, in terms of litigation costs, regulatory fines and forced upgrades to cyber infrastructure leading to cybersecurity expenses and capital investments. Going forward, it will be incumbent upon all companies to heed the lessons of the Equifax downgrade and take steps to protect their customers’ data.