articles Ratings /ratings/en/research/articles/221107-perspectives-on-cyber-risk-across-corporates-the-potential-impact-of-cyber-threats-is-growing-12530941 content esgSubNav
In This List

Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing


Credit FAQ: A Closer Look At CK Hutchison Group's Credit Quality


Credit FAQ: The U.S. Veterinary Industry Will Face Additional Challenges As We Enter An Expected Recession

The Upgrade Episode 26: 'CCC' Buckets Pick Up In CLOs As Cash Flow Generation Falls

Cracking & Fracking Episode 19

Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing

In our previously published cyber risk commentary, "How Cyber Risk Affects Credit Analysis For Global Corporate Issuers", we discussed the growing risk of cyberattacks to nonfinancial corporates. While not a material driver of credit rating actions to date, we noted the rising nature of the threat, both in terms of frequency and monetary impact. We emphasized the importance of preparation through robust cyber hygiene and described the key elements of our ratings framework that could be negatively affected by cyberattacks or weak cyber risk preparedness.

We have since surveyed our senior corporate sector specialists to gauge their view of the cyber threat facing corporates today. We have also compiled certain case studies of past cyber incidents across geographies and industries, to highlight the wide range of impacts on global corporate issuers and to what extent they could affect credit quality.

Sector-Specific Assessments

Cyber risk vulnerability for nonfinancial corporates varies across sectors, although no sector is completely immune

When we look at cyber risk for nonfinancial corporates, the landscape is particularly varied across sectors. Even within a particular industry, company-specific risks vary greatly because of business model, geographical presence, and size and scale. These factors have significant implications in terms of companies' adoption of technology, cyber hygiene, and ultimately shaping their exposure to cyber risk.

To gauge relative cyber risk across industries, we surveyed our global industry sector specialists and asked them to categorize the current threat level (e.g., probability of cyberattacks occurring) based on their views of the characteristics of the industry (such as data and IP assets, technological complexities, social presence, operational exposures, etc.; see chart 1). The chart illustrates analysts' assessment of the industry's risk exposure or risk of experiencing a cyberattack or incident. This differs from the potential credit impact following a cyberattack, which we study further in the subsequent section.

Chart 1


The themes that dominate the higher-risk group include extensive use of payment processing systems and personal financial data (retail and restaurants), valuable IP (pharmaceuticals), sensitive personal data and infrastructure (technology, health care) and infrastructure and control system attacks (telecoms, technology, utilities). The industries perceived to be less vulnerable tend to have comparatively lower value-added or commoditized products, IP-related risk, and generally limited reliance on high-end technology and lower public network touchpoints (for example real estate, chemicals, and forest and paper products).

When we compare our survey data with reports from third-party surveys or sources (e.g., Guidewire), we see similar results where sectors like technology, health care, telecoms, and retail and restaurants, are often more significantly exposed to cyber risks. As chart 2 illustrates, this could be particularly relevant to a sector like health care because on average, companies with higher leverage and lower free operating cash flow (FOCF) to debt would have less financial flexibility to absorb financial losses or operational disruption from cyberattacks.

Chart 2


Monetary losses from severe cyberattacks could be material.

To date, rating actions where cyber risk has led to direct or indirect credit deterioration, have been relatively low. That said, monetary losses stemming from cyberattacks have been on an overall upward trend over the last few years based on reported disclosures. According to IBM Security, the average cost of a data breach event was $4.35 million in 2022, up roughly 12.7% since 2020. This study looked at data breach incidents that did not exceed 102,000 data records. However, the risk of more severe black swan events such as the cyberattacks that occurred at Equifax, Capital One, or Facebook are also ever present, heightening the need for strong cyber defenses among the most exposed industries. To examine this risk, we used Guidewire's tail-value-at-risk calculation that measures the weighted average loss for the 40 most severe simulations in Guidewire's model. Based on this calculation, losses as a percent of revenue range from less than 1% to over 4% for global nonfinancial corporate sectors. On average, sectors rich in personal and financial data, IP, and operational technologies, such as media, entertainment and leisure, retail & restaurants, and telecommunications would experience the greatest losses as a percent of revenue under severe scenarios (see chart 3). While these severe estimated losses are based on low-probability events (e.g., less than 1%), companies with higher exposure and critical assets should prepare for extreme cases within their response and recovery plans.

Chart 3


The key consequences of cyberattacks are business interruption and reputational damage

We asked our sector specialists to give their rankings of the main risks arising from a cyber incident for the companies in their sector. Most of our credit analysts and sector specialists ranked business interruption as the most material and significant risk followed by damage to brands (see chart 4). Ransomware payments and regulatory fines are considered relatively more manageable risks, at least from a credit perspective. This is mainly because monetary losses related to ransom payments and regulatory fines—except for rare cases—have been relatively modest to date when compared with an issuer's financial resources. That said, fines have been increasing over the last several years, especially in the European Union (EU) since the enactment of new privacy laws (General Data Protection Regulation) in 2018, where penalties could now reach up to 4% of a company's global annual revenue.

However, unlike one-time monetary payments, business interruption or damage to brands could have more severe and longer lasting consequences in terms of lost revenue, loss of customer trust and attrition, negative impact on business relationships, and weakener competitive positions relative to peers.

Key risks also vary based on sector-specific characteristics (see chart 5). For example, sectors that rely less on technology to run their operations, such as real estate, see the greatest risk from ransomware payments. Business interruption is a material risk across several sectors including specialized sectors such as health care services and pharmaceuticals and sectors dealing with high customer numbers such as retail and consumer goods, utilities, and transportation. Commodity-based sectors like oil and gas and forest and paper products are also most affected by business interruption risk but see relatively see lower risk of damage to brand reputation arising from a cyberattack.

Chart 4


Chart 5


Ratings Impact Of Cyber Incidents – Illustrative Case Studies

The growing number and sophistication of attackers has increased the frequency of cyber incidents. As a result, the number of reported cyber incidents among nonfinancial corporate issuers has increased over the past several years, even though many incidents likely go undisclosed.

We selected seven examples for case studies across different sectors and regions to illustrate the key factors that play into our assessment of the credit impact following a cyber incident. We highlight Colonial Enterprises Inc., JBS S.A., SolarWinds Holdings Inc., T-Mobile US Inc., Travelex Holdings Ltd., Toyota Motor Corp., and Viasat Inc. Through these case studies we also aim to highlight:

  • Where incidents have been considered in our ratings construction;
  • How the magnitude of credit impact has mainly been modest and absorbable to date, especially as a stand-alone isolated event;
  • Rating impacts (e.g., Travelex downgrade) have typically occurred in combination with other factors (e.g., very high leverage and COVID-19 impact); and
  • That cyberattacks have been varied in 1) the type of attack and 2) the industries in which the targeted company operates (from software at SolarWinds to consumer products at JBS).

These case studies also highlight that while cyber defenses may not provide full immunity from incidents, good cyber preparedness and decisive management action helps detect and respond to an incident sooner and mitigate losses. At the other end of the spectrum, cyber incidents often shine a light on the lack of preparedness. Each of these case studies illustrate S&P Global Ratings' approach in considering the issuer's focus and commitment to containing and remediating against losses when cyberattacks are successful (the ratings included are as of Nov. 7, 2022).

Graphics and charts assistance provided by Harshil Doshi.

This report does not constitute a rating action.

Primary Credit Analysts:Mark Habib, Paris + 33 14 420 6736;
Michael P Altberg, New York + 1 (212) 438 3950;
Raam Ratnam, CFA, CPA, London + 44 20 7176 7462;
Vishal H Merani, CFA, New York + 1 (212) 438 2679;
Secondary Contact:Emma Hutchinson, London +44 2071766742;

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, (free of charge), and (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at

Register with S&P Global Ratings

Register now to access exclusive content, events, tools, and more.

Go Back