The disservices and business disruptions caused by some recent cyber-attacks demonstrate that the financial impact of cyber crime is becoming increasingly significant and may lead to reduced earnings and credit ratings. Standard & Poor's Global writes in the new study entitled "Corporates up their cyber preparedness as cyber attacks become more widespread" (DOWNLOAD HERE THE FULL REPORT).

“While the cyber incidents did not weaken corporate or financial risk profiles or directly lead to rating downgrades, they increasingly have the potential to erode credit quality and put downward pressure on credit ratings over a period of time,” the report reads.

S&P, the financial impact of cyber-attacks

Given the scale of business disruptions resulting from some recent cyber events, the visibility and scope of the financial impact of cyber events is increasing. Very few companies fully quantify the impact of cyber events in detailed financial terms. Manufacturing companies could typically recover production losses or lost orders within a few months or quarters, but the potential financial damage resulting from reputational deterioration of branding, linked to the perception of lower service levels, is difficult to quantify and is likely to become evident only in the long term.

The payouts you get from cyber policies are typically not extensive enough to fully offset the financial impact of business interruption and resulting repair costs. Extended investigation times, corrective actions, regulatory sanctions e potential legal action can make the financial quantification of cyber attacks even more complex and time-consuming.

The S&P study is based on the analysis of some cyber attacks that have occurred since January 2022 on 75 non-financial companies around the world.

Five real cases

The economic impact of cyber attacks is exemplified in the study by reporting five real cases.

The interruption of the activities of Mgma company that manages resorts and casinos in Las Vegas, after the cyber attack in September, will limit – according to the company’s own estimates – the Ebitdar for the third quarter of 2023 by 100 million dollars, predominantly in its Las Vegas operations. This is equivalent to approximately 10% of the company’s Ebitdar in Q3 2022.

Clorox (US cleaning products company) predicts a material negative impact on earnings and cash flow at least in the first fiscal quarter after the massive attack suffered in August. The event is not entirely resolved, although Clorox should be able to successfully restart operations without a permanent negative impact on its reputation and earnings-generating ability. At the same time, the company has not finished assessing the economic and financial impact of the attack.

As for the Aspen DentalS&P predicts that the cyber incident last April will reduce revenues and Ebitda of approximately $120 million and $110 million, respectively, compared to prior estimates of approximately $90 million and $60 million, respectively.

Mks Instruments (equipment for the food industry semiconductors): the ransomware attack in February 2023 had a total revenue impact of 160 million dollarsof which $120 million has been recovered, with the remaining amount expected to be recovered in the third quarter.

Finally, there is the case of Metro, based in Germany, Europe’s largest food wholesale and delivery operator. The company suffered a cyber attack in October 2022, it expects to claim up to 50 million additional euros in cybersecurity costs in fiscal year 2024.

The costs of attacks and cyber policies

Threat actors target predominantly sectors whose businesses handle large amounts of sensitive customer data or sectors providing critical services: Analysis of 75 cyber incidents revealed that the IT and telecommunications services they represented each 12% of attacks information technology, followed by media and entertainment (11%), retail (11%), consumer products (9%) and transportation (9).

Land data breaches and ransomware attacks are the most common types of accidents.

The monetary losses resulting from data breaches have increased in recent years. According to IBM Security’s 2023 Cost of a Data Breach Report, the global average cost of a data breach reached $4.45 million in 2023 – an all-time high and a 15% increase from 2020. The report is based on data breaches experienced by 553 organizations globally between March 2022 and March 2023.

Analysts have also observed a trend of companies ad insure against IT risks, also to offset the costs resulting from accidents. Global cyber policy premiums reached approximately $12 billion in 2022 and will likely increase on average 25%-30% per year to approximately $23 billion by 2025.

While most cyber attacks are caused by phishing or employee errors, many cyber breaches also result from attacks or security breaches at external vendors. Within the S&P sample, approximately 15% of cyber attacks resulted from third-party security vulnerabilities, as providers of payroll and recruitment services. This highlights the need for organizations to prepare more thoroughly for cyber risk by monitoring the entire value chain.

