Fitch Ratings, one of the big creditworthiness ratings firms for businesses, published an alert today regarding the impact of cyberattacks on an organization’s creditworthiness.
Their ratings affect an organization’s ability to borrow money because they are worried that unexpected events like cyberattacks could pose financial and operating risks that ultimately affect an organization’s ability to repay debt.
I am sure that this is purely a coincidence, but in the last 30 days a man was arrested after hacking into a Florida water system and raising the chemical settings high enough to kill everyone in the town who drank the water and also the feds indicted a Kansas man for hacking into a local water system in 2019 and attempting to poison the town.
Fitch, I suspect in response, said (connecting their dots, they were much more polite) that water and sewer districts might not be able pay back their debts if everyone in their town was killed by a hacker.
Or even if just some people were killed by the hacker.
Or even if they just had to spend a lot of money to make sure that everyone in the town wasn’t killed by a hacker.
You get the idea.
In this particular alert Fitch is talking about water and sewer districts, but the extension to other businesses is only logical.
Here is the rest of the Fitch story:
Event risks like cyberattacks are considered asymmetric risks per Fitch’s criteria, and are viewed through the lens of the response of management and sufficiency of governance systems and protocols to deflect or absorb the risk. Management and governance is typically neutral to credit, but could be considered credit negative if utilities lack capacity to adequately manage cyber risk or if there are concerns related to transparency, communication or reputational damage following a cyberattack.
Logically, you can replace the word UTILITIES with BUSINESSES.
Fitch assesses a utility’s financial flexibility and its relative capacity to repay debt and other liabilities. Therefore, unexpected costs related to cyber breaches could weaken liquidity metrics and constrain a utility’s overall financial profile assessment per Fitch’s criteria. Emergency efforts to combat cyberattacks could reduce cash reserves and/or increase operating expenses, decreasing funds available for debt service. Unanticipated debt financing to support cyber infrastructure or to capitalize cyber losses could also weaken leverage metrics.
Bottom line, the ratings agencies are starting to understand that the value of an organization can be materially affected by its preparation for a cybersecurity event. Banks and other lenders look to the ratings agencies to understand their risk as well, even if you are not specifically rated by one of the agencies.
While this shift towards factoring in cyber risk to credit risk is not going to shift overnight, the shift has begun.
Credit: Fitch Ratings