For the first time, Moody’s has downgraded a company’s credit rating outlook because of a cyberattack. Moody’s announced May 22 that it was downgrading its rating outlook on Equifax from “stable,” to “negative,” because of the impact of the company’s 2017 data breach. At the same time, Moody’s affirmed its “Baa1” senior unsecured rating on Equifax. The change in credit rating outlook reflects opinion regarding the likely rating direction over the medium term, and the possibility of a ratings downgrade during that time frame. Moody’s cited Equifax’s $690 million FY2019 first-quarter charge for the breach – which reflects Equifax’s estimate for settling data breach-related lawsuits and paying Federal and state regulatory finds – as a partial rationale for the downgrade. “We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021,” Moody’s said, adding, “Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach.” Moody’s also hinted that while Equifax may have been the first to have its rating outlook cut because of a cyberattack, it likely won’t be the last. The firm is in the process of making cyber risk a part of its credit ratings, which would make companies liable for their cybersecurity practices. Unsurprisingly, Moody’s said firms most at risk for potential downgrades are data-focused companies, such as financial and securities firms, hospitals, market infrastructure providers, and electric utilities.
