Nov 7, 2022 - Technology

Exclusive: Cyber regulations could spur "credit positive" environment

Illustration of a dollar sign made of binary code changing into a checkmark made of binary code.

Illustration: Brendan Lynch/Axios

U.S. efforts to crack down on ransomware and mandate companies report cyber incidents could end up being a "credit positive" next year, according to Moody's 2023 cyber outlook shared first with Axios.

Why it matters: A rise in cyberattacks in recent years has caused headaches for businesses as they face high price tags to recover from attacks — and potentially see their creditworthiness hurt following an incident.

The big picture: Credit raters and analysts have started factoring histories of cyberattacks into decisions about whether a company will be able to repay their debts, per the Wall Street Journal.

  • If a company handles a cyberattack poorly, they risk facing a lower credit ranking, signaling that a company might not be able to make necessary payments.

Details: U.S. actions to sanction ransomware actors, target the servers those ransomware operators work on and enact new cyber incident reporting laws could reverse this trend and create a "credit positive" environment in 2023, analysts at Moody's told Axios.

  • Ransomware efforts have started to dissuade attackers from targeting U.S. companies, and incident reporting laws will "help raise a baseline set of information about the scope of cyberattacks," the report notes.

Between the lines: For ransomware, the U.S. is benefiting while organizations in Europe and South America will take a hit as ransomware gangs hone in on them.

  • "This shift will be credit positive for U.S. issuers experiencing a relative reprieve from attacks but negative for issuers in regions with an uptick in ransomware incidents," the report notes.

Yes, but: Moody's outlook could change depending on how exactly new laws and regulations are implemented.

  • Various government agencies — including both CISA and the Securities and Exchange Commission — are currently working on proposals to set up their own reporting requirements. But, as they stand right now, each one has different deadlines and requirements for the incident reports.
  • Whether these efforts can be harmonized will play a huge role in whether they hurt a business's creditworthiness in the future, said Gerry Granovsky, senior vice president of Moody's cyber risk group.

The bottom line: Creditors are hopeful that government attention to cyberattacks could help offset some of the financial turmoil these incidents have caused businesses.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper