This report does not constitute a rating action.
- We see a heightened risk of cyber attacks on Ukraine amid escalating tensions with Russia, which could create knock-on effects for corporations, governments, and other parties in the region and beyond.
- The economic impact from such an attack for entities could exceed the $10 billion estimated from the 2017 "NotPetya" attack, given increased interconnectedness and digitalization.
- We consider that issuers with weaker cyber governance and risk management are more exposed to rating implications.
- Moreover, we are monitoring potential credit impact of cyber attacks on insurers and policyholders, given still-ambiguous "act of war" exclusion clauses in insurance policies.
Cyber attacks are becoming a more prevalent means of achieving foreign policy objectives, given their lower deployment costs relative to conventional military tactics and uncertain scope for retaliation. We are also seeing a hybrid cyber-kinetic form of warfare, where cyber assaults can precede or be accompanied by military operations. The intent of such attacks is often to undermine confidence in key institutions and infrastructure, which implies wider credit implications across sectors and geographies. Given tensions between Russia and the West over Ukraine in recent weeks, S&P Global Ratings sees a heightened risk that Ukraine will be the target of additional cyber attacks. We are monitoring if such attacks could spill beyond the country's borders and their potential credit implications.
Cyber Attacks Are Adding To Geopolitical Tensions
Cyber attacks have become a key element of geopolitics, involving state and nonstate actors. The frequency and severity of cyber events are rising rapidly, and their impact ranges from mild disruption of activities to influencing regime change and attacks on critical physical infrastructure. The difficulty in identifying the source and motive of attacks makes nearly all rated sovereigns vulnerable to a geopolitically motivated attack. Advanced and developing economies alike are at risk. Cyber warfare is being used to achieve several different political objectives, including:
- Influence over elections, including through the support of specific political candidates;
- Sabotage or denial of service of critical or noncritical infrastructure; and
- Coordinated military and cyber action or hybrid warfare.
Geopolitical tensions between Russia and the West over Ukraine have recently intensified, raising the risk of restricted trade and capital flows and downside risks to economic growth (see "Global Credit Conditions Special Update: Geopolitical, Inflation, And Rate Risks Rise," published on Feb. 8, 2022, on RatingsDirect). While we are closely watching the developments, we are also monitoring actions on the cyber front that may signal a potential escalation in conflict.
In the most severe scenario of military escalation, we consider that there could be disruptive cyber attacks on critical infrastructure in Ukraine, including communications and power systems, similar to the invasion in Crimea in 2014. However, even in a milder scenario where tensions de-escalate on the back of diplomatic efforts, we may still see cyber attacks. Following the recent defacement of government websites and malware incidents in January 2022, Ukraine has reported attacks against websites of state-owned Oschadbank and Privatbank, the ministry of defense, and its armed forces in mid-February originating from several countries.
There have also been several reports of possible cyber attacks on the U.S. and EU financial sectors.
In response, the U.S. and the EU have threatened a variety of sanctions against Russia that could be triggered by the broader conflict escalation and cyber attacks in particular. Strict sanctions on Russia will, however, likely have broader consequences, such as higher commodity prices and a temporary energy price shock in Europe, which could worsen inflationary pressures (see "Possible Credit Consequences Of Escalating Russia-West Tensions Over Ukraine And Further Sanctions Against Russia," published on Feb. 8, 2022).
Our Sovereign Ratings On Ukraine Account For High External Security Risks
Ukraine has experienced several cyber attacks since 2014 that have been attributed to the Russian government, Russian-backed groups, or Russia-sympathetic hacktivists (see timeline of key events in Chart 1 below). This highlights our view that Ukraine has a ways to go in developing its cyber awareness and expertise, improving coordination among institutions, and responding effectively to breaches. Our sovereign rating and outlook on Ukraine (B/Stable/B) take into account its relatively weak and developing institutions that reflect reduced predictability of future policy responses, uncertain checks and balances between institutions, and high external security risks (see "Ukraine Full Analysis," published on Sept. 13, 2021).
We note that while Ukraine's macroeconomic policy framework is stronger than in 2014, a more extreme scenario involving a growth shock, disruptions to infrastructure and exports, fiscal pressures, and financial instability could put pressure on the sovereign in our view.
Lessons From "NotPetya"
The "NotPetya" attack highlights both the far-reaching implications of cyber attacks and the relevance of governance and risk management. In 2017, a malware called "NotPetya" was distributed in Ukraine through a tax reporting software called M.E.Doc. The attack--which appeared to target Ukrainian institutions, including the central bank, Chernobyl nuclear plant, Ukrenego electricity supplier, and transportation services--caused weeks of disruption for about 7,000 companies across 65 countries globally (see Table 1). This included Danish shipping company A.P. Moller-Maersk A/S (BBB+/Stable/--), which saw 49,000 of its computers and 1,000 applications destroyed. Other global companies affected include Merck & Co. Inc. (A+/Stable/A-1), FedEx Corp. (BBB/Stable/A-2), and Mondelez International Inc. (BBB/Stable/A-2). The attack is considered one of the biggest cyber events in terms of economic impact globally, calculated at about $10 billion.
We did not take any rating actions as a result of these cyber attacks, since we assessed the credit implications as manageable. Under our criteria, we assess an issuer's cyber security practices as part of our overall governance assessment (see "Environmental, Social, And Governance Principles In Credit Ratings," published on Oct. 10, 2021). Where we have seen negative rating actions in the aftermath of a cyber attack, there were typically other underlying credit weaknesses or poor cyber governance that led to larger-scale impact (see "Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity," published July 14, 2021).
|The Costs Of “NotPetya” For Selected Rated Entities|
|Company||Sector||Cost*||Description of impact|
Merck & Co. Inc.
|Health care||$695 mil.||Disruption to manufacturing, research, and sales operations, with the company unable to fulfill orders for certain products, including vaccines|
|Transportation||$400 mil.||Impaired operations and communications systems, including shipping services and solutions, resulting in a temporary decrease in volumes for the company’s TNT Express business|
A.P. Moller - Maersk A/S
|Transportation||$250 mil. - $300 mil.||Shutdown of IT and communications systems impaired Maersk's terminal operations globally, halting the loading/unloading of cargo for two days and snarling operations for two weeks|
Mondelez International Inc.
|Consumer products||$180 mil.||Shipping and invoice delays, with disruption to the global logistics chain|
Reckitt Benckiser PLC
|Consumer products||$117 mil.||Halting of production, shipping, and invoicing at a number of sites|
Nuance Communications Inc.
|High technology||$92 mil.||Shutdown of certain systems used by health care customers, primarily for transcription services as well as the systems used by its imaging division to receive and process orders|
|Media and entertainment||£10 mil. - £15 mil.||Disrupted services in some areas|
|*Figures are estimates, and in some cases, include lost revenue. Source: New York Fed, S&P Global Ratings.|
Another "NotPetya"-Type Attack Could Be More Severe Due To Increasing Digital Interconnectivity
Increasing technological dependency and global interconnectedness means cyber risk poses a systemic threat and significant single-entity risk (see "Global Credit Conditions Special Update: Geopolitical, Inflation, And Rate Risks Rise," published on Feb. 8, 2022). Cyber events and threats are evolving dynamically. As attacks become more sophisticated, new targets and methods are emerging. Organizations face the risk of criminal and state-sponsored cyber attacks as well as disruptions caused by increasing digitalization with opaque and complex global systems.
Depending on the magnitude and financial impact of future cyber attacks, such an event could trigger widespread rating actions. In our view, entities with weaker balance sheets that lack adequate cyber insurance or other means of liquidity to address financial impacts will be more vulnerable to potential rating actions.
To help mitigate the potential negative credit impact of cyber attacks, robust cyber security remains vital. Other key factors that determine how well entities manage cyber risk include: prompt remedial action, active detection, C-Suite support including budget allocation, and a better understanding of risks arising from third-party providers or supply chains. The latter especially applies to companies that do business with Ukrainian organizations, since connections to Ukrainian systems might be used as a pivot point to other targets.
Although it is crucial to learn from previous attacks and strengthen cyber risk frameworks in real time, the appropriate detection and remediation of attacks takes precedence as the nature of threats will continue to evolve. Key questions are whether organizations have: (i) response plans (business continuity and disaster recovery plans) that are defined, understood, and tested prior to an attack; (ii) backup procedures that ensure that critical data can be restored following a ransomware or destructive cyber attack; and (iii) backups that are isolated from network connections.
Cyber Insurance Is Evolving As Insurers And Policyholders Move Away From Silent Cyber
Cyber insurance is a key component of cyber governance. The "NotPetya" case highlighted the risk of silent cyber, that is where cyber risk is neither explicitly included nor expressly excluded within insurance policies (see "Let's Not Be Quiet About Insurers' Exposure To Silent Cyber," published on March 2, 2021). Where policies carry this type of uncertainty, insurers can find themselves facing losses to settle unexpected cyber-related claims, and policyholders may be exposed to risks they thought were covered.
For example, Merck had a traditional "all-risk" insurance policy with Ace American Insurance. The insurer denied the claim associated with "NotPetya" stating that the policy language did not cover a "hostile or warlike action". However, since this war exclusion was not designed in the context of cyber warfare, but rather for traditional forms of warfare, a New Jersey court ruled in Merck's favor in January 2022. This court decision could have ripple effects for insurers and underscores the importance of insurers having robust cyber war exclusions in noncyber policies to avoid unanticipated exposure to silent cyber.
Silent cyber is also concerning for policyholders as it leaves the scope of their coverage uncertain. Several insurers have been pulling back on cyber coverage and charging higher premiums since 2021, largely due to growing ransomware attacks. In December 2021, Lloyd's of London announced that they would introduce a new framework to cyber war exclusions, applying different levels of exclusions. This differentiation may allow for greater flexibility and transparency and could help insurers to assume different levels of risk. Challenges will likely arise as cyber war is not clearly defined and attribution of attacks to nation states could also be difficult. While demand for cyber insurance has been increasing dramatically, policies that do not provide adequate coverage could dampen their effectiveness for customers and lead to long and costly legal battles.
Thanks to the development of more sophisticated analytical tools over the past two years, we have seen insurers gradually moving from silent cyber to affirmative cyber risk policies by using clear and transparent inclusions or exclusions, which we see as positive.
- Global Credit Conditions Special Update: Geopolitical, Inflation, And Rate Risks Rise, Feb. 8, 2022
- Possible Credit Consequences Of Escalating Russia-West Tensions Over Ukraine And Further Sanctions Against Russia, Feb. 8, 2022
- Ukraine Full Analysis, Sept. 13, 2021
- Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity, July 14, 2021
- Let's Not Be Quiet About Insurers' Exposure To Silent Cyber, March 2, 2021
|Primary Credit Analysts:||Zahabia S Gupta, Dubai (971) 4-372-7154;|
|Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Manuel Adam, Frankfurt + 49 693 399 9199;|
|Secondary Contacts:||Karen Vartapetov, PhD, Frankfurt + 49 693 399 9225;|
|Simon Ashworth, London + 44 20 7176 7243;|
|Paul Alvarez, Washington D.C.;|
|Martin J Whitworth, London;|
|Nik Khakee, New York + 1 (212) 438 2473;|
|Sudeep K Kesh, New York + 1 (212) 438 7982;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.