Companies must do more to protect themselves against cyber aggression, as the market will be watching

In May a rating agency proposed that early detection of cyber aggression should factor into assessments of companies’ creditworthiness. This proposal follows a decision by Lloyd’s Market Association, an umbrella insurance organization, to no longer cover state-backed cyber attacks. The implication is clear: companies must do more to protect themselves against cyber aggression, because the market will be watching and they can’t expect insurers to tolerate sloppy defense. Indeed, it’s a demonstration of how the market is waking up to the threats posed by geopolitically motivated aggression. Companies should prepare to demonstrate resilience to such threats and the ability to detect them early – because lenders and investors will want reassurance of such preparedness.

When Lloyd’s Market Association announced, in early 2021, that state-backed cyber aggression would be excluded from the coverage offered by its member insurance companies, few were surprised. For years, insurers and the companies they insure have been at loggerheads over how to tackle increasingly sophisticated cyber aggression.

Often the aggression is so sophisticated because it’s conducted or backed by a hostile state. That was the case with the devastating 2017 NotPetya attack, which was attributed to Russia and caused a string of multinationals including Merck and Mondelez losses of hundreds of millions of dollars each. When some of Merck’s and Mondelez’s insurers refused to pay, citing war-like actions, the companies sued. Merck won (and was awarded $1.4 billion), while Mondelez settled its case.

Such litigation over the definition of the attack, though, won’t solve cyber aggression. The problem is that many companies only discover an attack when it’s already well underway. In 2020, for example, hackers believed to be backed by the Russian government, penetrated the software company SolarWinds, whose products are used by thousands of companies and government agencies. Countless of these customers were slow to detect the attack, which ended up causing enormous operational and financial damage.

Now S&P, the rating agency, has published highlighting organizations’ poor ability to detect cyber intrusion. “Rapid detection of a cyberattack is the foundation of an organization's ability to avert and limit financial and reputational damage from a systems breach,” the company argues. The company’s Lead Cyber Risk Expert, Martin Whitworth, adds in an accompanying press release that “organizations are coming to accept that it is a matter of when, not if, they are targeted by cybercriminals. That is changing the dynamic of cyber risk management, pushing damage limitation to the forefront and, as a result, turning the spotlight on attack detection”.

When S&P speaks, it matters in the marketplace. While it and the other rating agencies don’t issue investment advice, they do issue ratings of companies’ and governments’ creditworthiness. As S&P explains in its guide to credit rating, “Our ratings express the agency’s opinion about the ability and willingness of an issuer, such as a corporation or state or city government, to meet its financial obligations in full and on time”.

That ability, though, could be curtailed by losses incurred by cyber attacks, especially since many companies don’t have cyber insurance or only partial cover. Indeed, since cyber aggression is becoming ever-more sophisticated – not least thanks to the involvement of hostile states – losses from successful attacks are likely to be significant. Even the risk of an attack like NotPetya will have an effect on prospective lenders’ assessment of a company or a country.

S&P doesn’t say it will start measuring companies’ ability to detect cyber intrusion. It says, though, that it “views weak threat detection as a possible deficiency in organizations’ operational risk management and potentially a negative factor for issuers’ credit quality”. One might ask why rating agencies don’t already, by default, measure this ability. Indeed, one can argue that companies’ (and governments’) ability to detect other potentially catastrophic events should similarly be part of rating assessments, especially since catastrophic events caused by Mother Nature or hostile states are increasing. To get an AAA rating, companies and governments should, for example, be able to illustrate excellent abilities for early detection of not just natural disasters but all forms of grayzone aggression, ranging from sabotage of critical national infrastructure to weaponization of migration. Precisely because grayzone aggression can involve any tool or area, early detection is crucial.

To be sure, rating agencies’ judgments are not infallible. In 2007 and 2008, it turned out that the three market leaders had incorrectly given high ratings to subprime securities. When the subprime mortgage crisis arrived, they downgraded their ratings – but the catastrophe couldn’t be averted. As the world becomes more volatile, especially as a result of the geopolitical standoff between the West and a loose China-Russia coalition, lenders are likely to turn to assessments like the one proposed by S&P for cyber – but that volatility makes rating assessments more challenging. It also raises the question of who should face the financial consequences in cases where a calamity proves a high rating incorrect.

The new dangers facing companies might even spawn new rating agencies specializing in risks the three traditional ones have so far not focused on. Either way, lenders – not to mention investors – will want to know how prepared companies and governments are for the new risks facing them.