Credit Rating Agency, Fitch, has said that recent cyberattacks targeting U.S. insurers, U.K. retailers, and an Asian airport highlight the growing threat of cyber risk to ratings for entities across all industries and regions, but companies prioritising cyber resiliency can reduce negative credit impacts from these events.
Fitch says that cyber risk remains a key risk to ratings as geopolitical tensions are elevated and specific sectors are actively targeted by threat groups.
The agency says it treats cyber risk as event risk.
“Event risks are a known risk, but the exact timing and magnitude are often difficult to predict. Event risks have the potential to have an outsized impact on the credit profile of a rated entity if they occur. We assess each cyber incident individually, examining operational continuity, impairments to cash flows or margins, reputational damage, and credit metrics relative to headroom in previously established rating sensitivities,” Fitch said in a report titled Cyber Attack Credit Risk Reduced by Operational Resiliency, Vigilance, released on Tuesday, July 1.
Fitch said although cyber events cannot be predicted with great accuracy, the associated risk can be managed through proactive strategies, technology, policies, and vigilance, it said.
“The chief executive officer and board of directors hold ultimate responsibility for managing cyber risk.
Cyber risk, complexity of systems, and impact from attacks vary across and within sectors. Certain industries dubbed critical infrastructure such as banking, energy, and healthcare, and government entities face more frequent attacks. Diverse cyber risk profiles create unique challenges for regulatory and compliance requirements, causing them to lag evolving cyber threats. Well-crafted regulations can establish industry baselines but cannot alone solve cyber risk,” it said.
As companies embrace technology to gain competitive advantages, the agency said, they are increasingly exposed to cyber risk.
“The adoption of advanced digital tools, cloud computing, and interconnectedness of systems and vendors can improve efficiency and innovation but also create vulnerabilities. Several sectors, such as energy and healthcare, use operational technology (OT) and internet of things (IoT) to monitor networks and improve outcomes, but these additions further complicate the cyber environment,” it said.
Recent rating actions highlight the importance of robust cyber resilience measures to withstand and quickly recover from cyber incidents. However, issuers with fewer resources may struggle to develop and maintain adequate cyber defenses, it further stated.
In March, Fitch took negative rating actions on two not-for-profit (NFP) hospitals, partly due to cyber incidents. Both are smaller providers with relatively weak balance sheets and limited cushion against additional stress relative to Fitch’s rated NFP universe. Threat actors target hospitals and health systems for their sensitive data, exploiting technology vulnerabilities, including the use of third-party vendors and equipment.
“Defense against nation-state threat actors require coordination between government and private industries. The U.S. Department of Homeland Security and state regulators have warned companies about potential cyberattacks linked to the conflict with Iran, with “low-level” attacks from hackers linked to Iran or from the government itself. Iranian hackers have attempted to interfere with the 2024 U.S. election and attacked water facilities in the Pennsylvania and New York. Government defense spending, including efforts by more NATO members to meet the annual defense spending target of 5% of GDP, will boost resources to address potential threats to national security, including from state-sponsored cybercrime,” it said.
