NormShield Blog

The intertwined relationship between credit ratings and cyber risk scores after the downgrade of Equifax’s rating by Moody’s

Moody’s just downgraded its rating outlook on Equifax just because of its 2017 data breach. This is the first time a cyber event affects the credit ratings of a company. 

A spokesperson for Moody’s, Joe Mielenhausen, told CNBC that Moody’s were treating this with more significance because it is the first time that cyber has been a named factor in an outlook change and this is also the first time the fallout from a breach has moved the needle enough to contribute to the change.(*)

The intertwined relationship between credit ratings and cyber risk scores

Cyber risk scores, also known as cybersecurity ratings, show the cybersecurity posture of a company by providing an external risk assessment. In the last five years, it becomes a trend and there are some vendors that provide cyber risk scores, including NormShield. 

Gartner foresees that, by 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships. Moody’s downgrade on Equifax also reveals this intertwined relationship between credit ratings and cyber risk scores. 

It is no secret that Moody’s is working on building cyber risk into its credit ratings, which would put corporations on the hook for their cybersecurity practices. Conversion of a probable cyber security event into monetary risk is crucial considering that Moody’s cited Equifax’s recent $690 million first-quarter charge for the breach as contributing to the downgrade

How to get the probable financial impact of a data breach

When a data breach occurs, there are primary losses associated with funds spent to accomplish a given activity such as engaging forensic experts, hiring a law firm, or offering victims identity protection services. 

On top of those, there are also secondary losses related to indirect costs that involve the allocation of resources, such as employees’ time and effort to notify victims and investigate the breach. Indirect costs also include the loss of goodwill, customer churn, reputation damage as well as regulation fines. Secondary losses are usually higher than the primary losses due to new regulations kicked in the recent years such as EU General Data Protection Regulations. 

The prediction of probable financial impact in case of a data breach is very difficult to compute. But, it is not impossible. For instance, the FAIR Instute developed a model called Factor Analysis of Information Risk (FAIR) to overcome this problem.

What is FAIR model?

Factor Analysis of Information Risk (FAIR) is the only international standard quantitative model for information security and operational risk. The model:

  • Provides a model for understanding, analyzing and quantifying information risk in financial terms.
  • Is unlike risk assessment frameworks that focus output on qualitative color charts or numerical weighted scales.
  • Builds a foundation for developing a robust approach to information risk management.

The FAIR model components are specifically designed to support risk quantification, through:

  • A standard taxonomy and ontology for information and operational risk.
  • A framework for establishing data collection criteria.
  • Measurement scales for risk factors.
  • A modeling construct for analyzing complex risk scenarios.

The FAIR model analysis complements existing risk management frameworks by building on qualitative efforts in order to better quantify risk. Shortcomings in risk management frameworks include:

  • Organizations such as NIST, ISO, OCTAVE, ISACA, etc. are useful for defining and assessing risk management programs, but go no further than those parameters.
  • Most frameworks prescribe the need to quantify risk, but for the most part, they leave it up to the practitioners to figure that process out.
  • Some are silent on the subject of how to compute risk, while others are open in the allowance of third-party methods.
  • Frameworks such as NIST 800-30 attempt to measure risk, but fall short as they rely on qualitative (not quantitative) scales and flawed definitions.

FAIR helps fill the gaps in other risk management frameworks by providing a proven and standard risk quantification methodology that can be leveraged on other frameworks. 

What if data breach caused by a third party supplier?

A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses. Many regulations hold responsible large companies that experience data breach caused by a third party.

Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.

Quantifying the third-party risk in terms of financial probable impact would help to increase the maturity of third-party risk management (TPRM) programs. 

How to use FAIR model to quantify the third-party risk

In a mature risk management program, risk is usually defined in business terms (financial impact) and then measured against factors such as risk appetite (the defined dollar figure of risk that a company is willing to accept) and risk tolerance (the percent beyond the defined dollar amount that a company is willing to tolerate). However, many organizations have a hard time measuring third-party risk in these terms. This creates frustrations for both risk practitioners who want a more effective way to quantify results and business decision makers who want clear metrics in order to make more informed decisions.

Leveraging FAIR assessment at scale for TPRM helps attain the goal of cost effectively achieving and maintaining an acceptable level of loss exposure, while also clearly conveying the breadth of probable impact to the organization.

You can find more information in our 3-part blog series and webinar on quantifying third-party risk with FAIR model.

Part 1: Using the FAIR Model to Quantify Third-Party Cyber Risk

Part 2: How to integrate NormShield’s FAIR analysis into a third-party risk management (TPRM) program

Part 3: Maturing a third-party risk management program using the FAIR model to improve due diligence and action plans

Webinar: How to leverage the FAIR Model at scale for 3rd Party Risk

Request a FAIR report

(*) https://www.cnbc.com/2019/05/22/moodys-downgrades-equifax-outlook-to-negative-cites-cybersecurity.html