Exclusive: Cyber regulations could spur "credit positive" environment
Add Axios as your preferred source to
see more of our stories on Google.
/2022/11/07/1667834958380.gif?w=3840)
Illustration: Brendan Lynch/Axios
U.S. efforts to crack down on ransomware and mandate companies report cyber incidents could end up being a "credit positive" next year, according to Moody's 2023 cyber outlook shared first with Axios.
Why it matters: A rise in cyberattacks in recent years has caused headaches for businesses as they face high price tags to recover from attacks — and potentially see their creditworthiness hurt following an incident.
The big picture: Credit raters and analysts have started factoring histories of cyberattacks into decisions about whether a company will be able to repay their debts, per the Wall Street Journal.
- If a company handles a cyberattack poorly, they risk facing a lower credit ranking, signaling that a company might not be able to make necessary payments.
Details: U.S. actions to sanction ransomware actors, target the servers those ransomware operators work on and enact new cyber incident reporting laws could reverse this trend and create a "credit positive" environment in 2023, analysts at Moody's told Axios.
- Ransomware efforts have started to dissuade attackers from targeting U.S. companies, and incident reporting laws will "help raise a baseline set of information about the scope of cyberattacks," the report notes.
Between the lines: For ransomware, the U.S. is benefiting while organizations in Europe and South America will take a hit as ransomware gangs hone in on them.
- "This shift will be credit positive for U.S. issuers experiencing a relative reprieve from attacks but negative for issuers in regions with an uptick in ransomware incidents," the report notes.
Yes, but: Moody's outlook could change depending on how exactly new laws and regulations are implemented.
- Various government agencies — including both CISA and the Securities and Exchange Commission — are currently working on proposals to set up their own reporting requirements. But, as they stand right now, each one has different deadlines and requirements for the incident reports.
- Whether these efforts can be harmonized will play a huge role in whether they hurt a business's creditworthiness in the future, said Gerry Granovsky, senior vice president of Moody's cyber risk group.
The bottom line: Creditors are hopeful that government attention to cyberattacks could help offset some of the financial turmoil these incidents have caused businesses.
Sign up for Axios’ cybersecurity newsletter Codebook here.
