Data breaches have historically raised the risk profile of major companies and other large organizations, but a study from the American Accounting Association found enterprises also face a rise in borrowing costs. The financial consequences can range from higher interest rates from banks to higher risk profiles from capital markets.
Banks charged substantially higher interest rates to companies that previously suffered data breaches, according to the report, published in The Accounting Review last month. If the data breach involved large amounts of consumers, those costs were even higher. Based on an average loan amount of $923 million, interest rates increased about 39.85 basis points at an additional cost of $3.68 million, according to Henry Huang, associate professor at Yeshiva University and a co-author of the research study.
Researchers reviewed 139 reported data breach incidents between 2005 and 2014, as well as bank loan data between 2003 and 2016. The researchers reviewed 1,081 bank loans at publicly traded companies. Of the 1,081 loans, 587 loans went to companies that suffered a breach, while 494 loans went to companies that had not suffered a breach.
The financial costs of data breaches previously focused on direct impact, including detection and notification costs. However, researchers behind the study were looking to examine the indirect costs of data breaches from the standpoint of how it impacts the cost of debt.
"A breached firm is deemed to have higher operating risk and thus have higher loan default risk," Huang said via email.
For example, companies impacted by data breaches lost major customers and had more volatile earnings following the incidents, he said. The impact was often more severe if the data breach was the result of criminal action, such as payment card fraud or a deliberate hack.
Banks often demanded a higher amount of collateral and loan covenants from companies that had suffered a breach.
Borrowing costs went up in industries deemed vulnerable to attack, according to the report. Borrowers in vulnerable industries, including healthcare, transportation, computer and electronics, incurred higher borrowing costs.
For companies that run short on data security standards, the financial impact can be costly.
"This appears to be a very similar tactic used by banks to penalize an organization that fails to comply with PCI (payment card industry) data handling standards," said Tom Garrubba, CISO of Shared Assessments. "In PCI, financial institutions will often increase the transaction rate of each payment card transaction then reduce it once PCI certification has been reached."
Garrubba said in many cases the cost can be as much as twice the original transaction cost with the bank.
In 2019, Moody's downgraded Equifax, citing the impact of a 2017 data breach, which included the potential for global litigation and higher-than-expected IT costs. Earlier this year, Moody's warned that attacks like the SolarWinds supply chain breach could open up increased competition for vendors.
The good news for companies is the impact of data breaches does not permanently impact the risk assessment of a lender. Banks look favorably on companies that take remedial action, such as hiring an outside firm to help assess the impact of a breach or improving employee training to help prevent future breaches, according to the research.
"So it is never too late for firms to take preventative or remedial actions against cyberattacks given the prevalence of these attacks nowadays," Huang said.
A recent spike in criminal cyber activity — particularly ransomware — has raised concerns in the financial services industry about the downstream impact on credit risk. Last month, Fitch Ratings warned that ransomware was becoming a global threat to security and financial stability.
Fitch cited a 485% surge in ransomware in 2020, based on Bitdefender's research. Cyber insurance coverage is already showing higher premiums and the potential for exclusions in the case of ransomware, which would force companies to directly absorb the cost of cyber attacks.
Last month, Moody's raised concerns about the credit risk of the ransomware attack on Colonial Pipeline.
Despite the heightened risk of cyber disruption on loan spreads, certain companies impacted by the recent spike in ransomware activity have thus far withstood the impact.
Last week, Moody's issued a report saying the ransomware attack late last month on JBS USA Holdings, a major subsidiary of the Brazil-based meat supplier, would have a negligible impact on the company's credit rating.
JBS had ample financial cushion to absorb the cost of temporarily shutting down its production facilities and to remediate the impact on its IT systems, Moody's said.