Equifax Becomes First Firm To See Its Outlook Downgraded Due To A Cyber-Attack
Equifax has had a terrible two years since it was the victim of a huge breach in 2017. One of the worst things about the hack was that it could have been prevented—it happened because the firm failed to patch an Apache Struts open source web server.
But Equifax is still paying for its mistake: it has just suffered another major blow after Moody’s slashed the rating outlook on the firm, according to CNBC. It’s the first time cybersecurity problems have been cited as the reason for a downgrade.
Moody’s lowered Equifax’s outlook from stable to negative last week (May 22). “We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” Joe Mielenhausen, a spokesperson for Moody’s, told CNBC. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
Moody’s said Equifax’s $690 million first-quarter charge for the breach–which took into consideration ongoing class actions and regulatory fines–contributed to the downgrade. Another factor was the firm’s ongoing necessary cybersecurity investments.
Equifax sent me a statement via email, which reads: “Moody’s affirmed our Baa1 senior unsecured rating and the short term rating at Prime-2. Any questions about the outlook change should be directed to Moody’s. EFX remains solidly investment grade and the revision in Moody’s outlook will not impact our internal investments including new products, our $1.25B EFX2020 technology and security advancements, or future acquisitions.”
But the move is significant because it will impact the decisions of investors, who use rating firms to predict the long-term impact of mega-breaches.
“We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021,” says the note. “Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach.”
Equifax might not be the only firm to suffer in this way following a breach. Moody’s is working the risk of a business-ending hack into its credit ratings, according to CNBC.
Incentive to protect data
This news will have a massive impact. It is a huge financial incentive for other firms to take reasonable precautions to protect sensitive data, says Ian Thornton-Trump, security head at AmTrust Europe. “The consequences of a data breach are now very tangible and this downgrade would be a nightmare for Equifax.”
“What we are witnessing is public and private sentiment that a poor attitude towards data protection has the potential to hit the bottom line profitability of a company in any number of ways. In short, this is a huge wakeup call from the companies that handle credit and corporate bond rating.”
It’s already starting to happen, but this news shows that cybersecurity needs to move up a firm’s list of priorities. “Anything can happen post data breach,” says Thornton-Trump. “It becomes unknown territory when it’s so high profile and the bad news continues to hit. If getting loans and selling bonds to get through the crisis is more difficult, your long term prospects are pretty bleak and your customers will be fleeing.”