In a first, Moody's is downgrading a company over its cybersecurity risks
The cybersecurity fallout continues for Equifax, following the company’s headline-grabbing 2017 consumer data breach. Moody’s has now lowered its rating outlook on Equifax, citing cybersecurity issues, according to CNBC. This is the first time cybersecurity has been cited as the reason for downgrading a firm’s outlook from stable to negative, according to a Moody's spokesperson.
“We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” Joe Mielenhausen, a spokesperson for Moody’s, told CNBC. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
CNBC explains that the decision’s significance stems from investors’ increased reliance on ratings firms and insurance companies to gauge the longer-term fallout of massive breaches given the paucity of historical data.
Moody’s cited Equifax’s recent $690 million first-quarter charge for the breach, an estimate which accounts for projected settlements to ongoing class action cases in addition to potential federal and state regulatory fines, as justification for the downgrade. As Gizmodo explained in their own story on the downgrade: "Few people make an informed decision to hand all that data over to companies like Equifax, which explains the surprise of many Americans when they found out their data was likely involved in that 2017 breach." In other words, it's hard for the public to predict when or how their personal data could be put at risk, and companies like Equifax can expect the public outcries to continue when they mess up on cybersecurity.
“We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021,” Moody’s note on the downgrade reads. “Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach.”
Moody’s also cautioned that cybersecurity concerns are not unique to Equifax.
“This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
“The heightened emphasis on cybersecurity for all data oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company’s profit and free cash flow for the foreseeable future,” Moody’s report said.
Moody’s recently revealed that it is currently planning to build cyber risk into its credit ratings to hold companies accountable for cybersecurity, as CNBC reports. Companies most at risk include financial firms, securities firms, hospitals, market infrastructure providers and electric utilities, according to Moody’s.