Bite, Not Bark: Moody’s Downgrades Equifax on Cybersecurity Concerns
In November we wrote that Moody’s announcing it intended to consider cybersecurity and cyber risk in financial ratings was the Trifecta of Board of Director centric cybersecurity developments, with the first being CEO and CISO firings in the wake of high profile events of recent years, and the second being the SEC’s updated guidance on how companies should understand and disclose cyber risk. Any doubt about the significance of that announcement no longer exists, as Moody’s has acted on its word and downgraded Equifax’s outlook from “Stable” to “Negative,” based primarily on concerns about Equifax’s cybersecurity.
While Moody’s has reaffirmed Equifax’s previous credit rating of Baa1, a change in the financial outlook could portend further action, and a possible downgrade of this rating. If this were to happen, borrowing costs on its $1.1B revolving credit facility could quickly be impacted.
Either way, this consequence cuts to the core of Board of Director fiduciary responsibilities and underscores why Boards need not only pay attention to cybersecurity, but also demand that business and security leaders manage cybersecurity in a manner that can withstand similar adverse actions.
This action is not isolated and is further evidence that Moody’s is following through on its November announcement to actively consider building cyber risk into its credit ratings. It is the first known instance of Moody’s downgrading a company’s outlook, but Moody’s has also recently recognized positive behavior – in December of 2018 it recognized the American Public Power Association’s cybersecurity efforts as a factor in maintaining a “stable” rating on the public power sector for 2019. What is concerning about the Equifax announcement is the underlying implication – while the intermediate financial impact of the event and cost of improvements can’t be disputed (Moody’s specifically notes the breach costs plus major increased spending for cybersecurity), the downgrade does seem to imply continuing concerns about Equifax’s cybersecurity maturity and ability to manage the risk effectively.
At this point in time, given the major scrutiny that Equifax has been under and the likelihood that cybersecurity leadership has a blank check from management, it would seem reasonable to expect the opposite – that Equifax would be on the path to making itself a poster child for cybersecurity and recognized accordingly. That not being the case, it’s not unfair to interpret the downgrade as further recognizing that Equifax’s cybersecurity problems are more deeply rooted and will take far longer to remedy. Equifax’s approach to cybersecurity and cyber risk was probably flawed and needs to be entirely rebuilt.
Whether or not that is true for Equifax, it is for many organizations in our experience. Gone are the days of being able to rely disproportionately on technology controls, point-in-time assessments with “green,” “yellow,” and “red” indicators of security, and buying insurance based on peer benchmarking reports provided by insurance brokers (Equifax has disclosed that it purchased $125M of cyber insurance, an amount quite inadequate relative to the cost of the event). That’s the real lesson here for Boards of Directors as they struggle to tackle cybersecurity and fulfill their duty of care responsibilities – managing cybersecurity according to the old paradigm risks the real possibility of a negative action by Moody’s or the other financial rating agencies, especially in the aftermath of an event when a rating downgrade is effectively pouring salt into a wound.
Luckily, achieving appropriate cybersecurity understanding and maturity is very available today, presumably in a way that could be used to answer any questions raised by Moody’s and others.
- Understand your cyber risk exposure as it relates to the business and in financial terms. Start by asking a simple question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology, and what the impact of that technology failing might be. Could there be a data breach? Could there be a business interruption due to system outages? Could somebody dupe one of your treasury staff into wiring money to a fraudulent account? Could a hack into your process control technology cause tangible damage and bodily injury? Now, take a sampling of scenarios and get various operational and functional experts to contribute their knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.
- Use a maturity-based cyber program management model, such as the NIST Cybersecurity Framework (CSF) or the Cybersecurity Capability Maturity Model (C2M2), align it with the scenarios that you’ve quantified in step one, and ensure that your resulting insights are reported to the Board in an understandable way. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards, on the other hand, won’t ever go away but all too often produce a false sense of confidence once the checklist is complete and the compliance framework met. And why align the model with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards for effectively understanding the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.
- Maintain the resources and financial ability to recover from a meaningful event. At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get a reasonable idea of what those costs might be? See Step 1.
- Evidence all of the aforementioned components with peer benchmarking and best practices insight. Because cyber risk is incredibly dynamic, and traditional means of risk management (such as complying with standards or achieving certifications) can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line with or more favorable than that of your peers? Is your cyber program in line with or more favorable than that of your peers?
Put it all together and a Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”
Cyber risk is the peril of our generation. Despite the need, organizations struggle to get actionable visibility to their cyber risk – technology has been the dominant focus thus far, but it’s not a silver bullet. Managing risk requires continuous evaluation across technology, people, process, and financial controls.
At Axio, we believe that everyone should have the means to solve their unique cyber risk challenges, so we created the Axio360 platform to deliver on that belief. Our innovative approach and insights give companies visibility to their cyber risk and enable them to prioritize investments to protect their business and employees.
Axio360 is the only methodology and software that empowers organizations to continually answer the four most critical questions for cyber risk:
- What’s my exposure in financial terms?
- How mature is my cyber program?
- Do I have the financial ability to recover from an event?
- Where should I invest?
For more information contact us at firstname.lastname@example.org