Data breaches can be costly, both in terms of recovery, lost productivity, and regulatory fines. Moody’s revising its outlook on Equifax proves a breach breach can be detrimental to the company’s financial future.
Credit ratings agency Moody’s revised its outlook on Equifax, from “stable” to “negative,” CNBC reported, citing a recent note from the credit ratings and research service. Investors rely on ratings from services like Moody’s and Standard & Poor’s to determine the trustworthiness of companies and other organizations, as well as the riskiness of such an investment. A lower credit rating means investors will consider that organization as being riskier, and more likely to result in an investment loss.
“We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” Moody’s spokesperson Joe Mielenhausen told CNBC. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
Moody’s rating outlook is an opinion about the direction the organization's rating is headed in the medium term. A negative outlook means there are negative pressures on the organization and that there is a possibility that there will be a downgrade in the credit rating.
The decision to revise the outlook wasn’t just because Equifax had reported a $690 million charge in the first quarter of 2019 for the 2017 data breach which exposed the information of 147.9 million customers. That figure included settling class action lawsuits and potential state and federal regulatory fines. Moody’s noted that the company still needed to make infrastructure improvements to address systemic security weaknesses. While attackers exploited an unpatched vulnerability in Apache Struts on a forgotten server, post-breach analysis found that Equifax had other infrastructure weaknesses and organizational problems that contributed to the breach. Moody’s estimated that Equifax will have security expenses and capital investments of about $400 million in 2019 and 2020, and about $250 million in 2021. Equifax is expected to spend more in infrastructure investments after 2020 than it did prior to 2017.
Moody’s noted that if Equifax will be spending hundreds of millions of dollars on security investments for the next few years, that’s money that is not being invested in new revenue-focused products. Rivals Experian and TransUnion will be able to experiment during this time period and take market share from Equifax.
Moody’s decision to revise the outlook is the first example of a company being held accountable for its security.
While Equifax may be the first company to face scrutiny by ratings services because of its security missteps, it will likely not be the last. Moody’s is in the process of making cyber risk a part of its credit ratings going forward, and plans to hold companies accountable for their security decisions. Calculating risk will let rating services try to predict the long-term fallout of a data breach. Moody’s isn’t the only ratings service taking this step, either. Other ratings services and insurance companies are also figuring out how to calculate an organization’s security risk.
It would be “super interesting” to see what models Moody’s winds up adopting, Rich Mogull, vice-president of product at DisruptOps, said on Twitter. “Done properly they could have a real impact on practices like data collection and retention that are more impactful than mandated security controls.”
"Actions such as the one Moody has taken are designed to deliver a message, and we know that when boards are engaged in cybersecurity risk issues risk management practices improve, sometimes dramatically," said Gary Roboff, a senior advisor to Shared Assessments.
Data-focused companies such as financial and securities firms, hospitals, market infrastructure providers, and electric utilities are among the firms most at risk for being downgraded under the new scheme, CNBC reported.
Boards and CISOs are carefully watching what happens with Equifax since this is the first time that a data breach will affect the company’s ability to attract investors. Up until now, there hasn’t been a lot of impact on companies post-breach. Shoppers return to the retailers, stock prices bounce back (somewhat), and companies move on after they pay their fines. Moody’s decision to revise the outlook is the first example of a company being held accountable for its security, and is a clear indicator that boards and senior executives need to consider security risk as part of its operational assessment.
This is a wake up call, along with pending suits, that cyber governance and best practices are key," said Catherine A. Allen, chairman and CEO of The Santa-Fe Group. "Boards should have robust discussion on cyber practices, appropriate spending, risk or security committees and appropriate oversight.
This story and headline was updated to reflect that Moody's revised its outlook for Equifax and not the credit rating. An explanation of the outlook was also added.