Moody’s Puts a Significant New Twist on the Business Impact of Cybersecurity
In 2017, Equifax became a target of one of the most significant security breaches in modern history, compromising thousands of passports, driver’s licenses, and military IDs. Additionally, more than 200,000 credit card numbers (with expiration dates) and the Social Security numbers of more than 146 million consumers were lost in this Equifax data breach, representing roughly half of the U.S. population.
Related Infographic: Why is Complying with Data Privacy Regulations So Hard?
Despite investigations launched by Congress and the Federal Trade Commission, the stolen data has never been recovered. Intelligence officials believe it has been collected and used for foreign intelligence purposes.
Just this week, news broke about the Equifax breach: Equifax will pay at least $700 million to settle lawsuits related to this data breach. As you’d expect, the financial burden in fines and business loss for Equifax has been significant. But by taking a $690 million first quarter charge related to the Equifax data breach settlement, Equifax realized a new challenge not yet faced by any other business victimized by cyber crime: a downgrade from Moody’s that reduced Equifax’s rating from stable to negative.
Yes, this is the first time cybersecurity has been cited as a factor in a company’s downgrade. The decision is significant because, given the lack of historical data on such incidents, investors increasingly look to ratings firms such as Moody’s to provide research for economic analysis and risk management, which now must include the long-term impact of large data breaches.
In the case of the Equifax data breach, Moody’s recognizes the total costs associated with ongoing class-action cases, more potential state and federal fines, and cybersecurity expenses and capital investments. These costs are expected to total $400 million in both 2019 and 2020 and will increase infrastructure costs in 2020 and beyond.
Equifax is the first, but it won’t be the last. Moody’s is actively building cyber-risk into its credit ratings, which would put corporations on the hook for their cybersecurity practices. Moody's has indicated that the types of companies most at risk include financial firms, securities firms, hospitals, market infrastructure providers, and electric utilities.
Moody’s is also considering a new standalone cyber-risk rating separate from the credit rank. It is also planning to create a list of industries that it will consider to be in a higher risk category for cyber incidents. “The likelihood of credit-rating impact as steadily increasing,” said Derek Vadala, Head of Moody’s Cyber Risk Group. “Different sectors have different levels of credit sensitivity to cyber risk. For those higher-risk sectors, there will be impact down to the individual issuer-level over time.”
It is critical that every business be able to protect themselves at the source, knowing that ratings firms and insurance companies will be factoring cyber-risk into their credit ratings. This new step now adds an additional layer to consider in addition to the roles the FTC and federal government play in their efforts to hold companies accountable.
We understand the challenges organizations face today in implementing a comprehensive and effective network security and data protection infrastructure—as well as the best way to comply with increasingly difficult industry regulations. While it may be challenging, the right security tools may save the business from the devastating effects of a data breach. This is especially true when you consider that there are only a subset of companies that can absorb the costs that were described in the Equifax data breach example above.
ARIA Cybersecurity Solutions’ suite of cybersecurity solutions provide the much-needed intelligence needed to help any company enhance existing security tools, such as SIEMs, and improve their overall security. In this way, our solutions enable the identification of potential threats to take immediate response and disrupt threats before they turn into a full-blown breach that could affect consumers—and now the company’s credit rating. The ARIA SDS solution delivers the tools and capabilities needed to improve any company’s overall security posture, but also gain the proof needed for legal and regulatory compliance.
Compliance can be tricky, especially when you consider that in many cases, the FTC’s definition of preventing and/or protecting PII for data breaches may only require “taking reasonable steps.” ARIA Cybersecurity Solutions’ breach response solution automatically provides complete details needed to conduct a highly focused forensic analysis to understand the scope and impact of any breach, even a potential breach, in a matter of hours.
The news on the Moody’s-Equifax data breach is evidence that we’re dealing with new requirements related to cyber-security. While the stakes were always high, they’re now getting even higher.
To learn more about ARIA Cybersecurity Solutions, and how we can help overcome traditional security challenges, please visit www.ariacybersecurity.com.
Or to learn more about how our solutions can help improve security and compliance, be sure to check our Data Privacy Regulations eBook today.
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.