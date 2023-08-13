There is a “cost” in increasing the cyber resilience of companies driven by regulation. Cybersecurity regulations taxes in the European Union (Gdpr, Nis2), in the United States and in a growing number of countries represent, in fact, a double-edged sword for organizations: on one side, improve their cyber resilience thanks to increasingly high standards of governance and transparency in threat management; on the other, may weigh on the financial risk profiles of issuers, because they involve investments to meet the requirements and, in the event of non-compliance, they involve losses and penalties. The cybersecurity measures adopted, regulatory compliance and the ability to react to threats will increasingly be a differentiator between companies even when it comes to defining and estimating their risk profile. He writes it S&P Global Ratings in the studio “Cyber risk insights: New regulations will increase resilience, at a cost” (SCARICA WHO THE COMPLETE REPORT).

“Regulators are putting the spotlight on organizations’ cyber exposure by demanding greater disclosure of cyber events and information on their cyber readiness and resilience,” he writes Vishal Merani, credit analyst at S&P Global Ratings. “Door opens to a differentiation based on cyber risks, which could have implications for the creditworthiness of companies”.

The report indicates how the European Union and the United States have taken the lead in introducing and enforcing cybersecurity regulations and that their regulations are influencing the formulation of laws in other regions of the world.

How much does cybersecurity cost?

The attention of regulators on cybersecurity is obviously linked to the growth in the number and severity of cyber attacks, often of a criminal or government nature and aimed at hitting strategic infrastructures. Known incidents involving the confirmed disclosure of data to an unauthorized party have more than doubled in the past five years (from just over 2,000 known cases in 2017 to over 5,000 in 2022) and have become increasingly costly (3,000 $6 billion on average in 2017; $4.4 billion in 2023), the report reads.

In response, corporate spending on security of data and risk management has been estimated by Gartner at approx $169 billion in 2022 globally, compared to $158 billion a year earlier. Prediction for 2023 it is an expenditure of around 188.3 billion of dollars. The companies they are also increasingly buying cyber insurance to offset the costs resulting from accidents. THE award for cyber insurance they reached approx $11.9 billion in 2022, up from $5.8 billion in 2019, according to Munich Re; total annual spending could reach $33.3 billion by 2027.

Cyber ​​regulation in the world

For their part, governments have addressed the growing cyber threat with a growing series of laws that seek to protect critical infrastructure and consumer data, compel organizations to strengthen cyber defenses, and aim to ensure greater disclosure of cyber events and factors of risk. The EU and the US lead the way and influence the policies of other nations.

Cyber ​​risk weighs on the rating

Cyber ​​risk is inherently bad for credit, writes S&P. Businesses are exposed to significant losses and business disruption in the event of a major incident, as well as fines and other penalties due to insufficient IT literacy. In addition, even if you have excellent IT risk management does not mean that you eliminate this exposure. This “inherent negativity” ties into the fact that cyber preparedness, by itself, creates no value and can be costly. Indeed, it could become increasingly expensive as threats evolve, requiring new investments.

The growth of regulation also feeds the negativity of information risk for credit. For example, regulations already in place (such as GDPR in Europe and CCPA and Hipaa in the US) require timely disclosure of a cyber attack to regulators and affected individuals. This requires heavy investments in effective detection systems. Similarly, security rules, such as Circia in the United States and Nis2 in Europe, aimed at protecting critical infrastructure, improving national security coordination and informing financial markets, are another cost for companies to comply with. The rules will impose one-time and ongoing compliance costs, analysts write.

The sectors most at risk: Tlc, ecommerce, finance and health

Cyber ​​regulation could also indirectly weigh on operations, liquidity and profitability of organizations. For example, new computer security standards could lengthen and complicate product approval for developers and manufacturersas was the case in the United States, where section 3305 of the medical device regulation placed the burden on device manufacturers to patch and update products.

In addition, more emphasis by regulators on security by design could expose organizations to liability for damages suffered due to the exploitation of security flaws in their products or services.

Still, an increasing burden regarding data protection could burden industries that regularly collect and use personal data, such as e-commerce, retail, telecommunications, healthcare and financial services.

Increased restrictions on access to some consumer data could also have a negative impact on business models or service/product functionality.

Another element is that the cost of IT insurance will riseà in response to increasingly broad and complex regulations and an increased threat of fines and litigation.

Some benefit from cyber-regulation

It is, however, to be expected that increased regulation of information technology will have aSome positive impacts on credit risk. Companies that invest in cybersecurity reduce the potential for losses due to cyber incidents large enough to negatively impact credit quality.

Companies will also benefit from the additional support of government agencies, such as Acn in Italy, which should contribute to better identification (and therefore prevention) of threats, while improving strategies for resolving problems. Furthermore, regulators’ facilitation of knowledge sharing among organizations should serve to improve best practices related to cyber risk management and governance.

Organizations will also benefit from the growth of cybersecurity services, the supply of which is expected to expand due to increased demand.

Cybersecurity as a differentiator

Inevitably, increased regulatory scrutiny of cyber risk factors will strengthen disclosure of both cyber incidents and the extent to which organizations practice good cyber hygiene. Greater visibility into cyber incidents will provide new insights into corporate governance and risk management and improve the comparability of how cyber risk affects organizational risk and is addressed in terms of management and governance.

This, concludes S&P, “will continue to increase our ability to differentiate issuers based on cyber risk readiness as part of their overall risk management framework and will ultimately be reflected in our ratings. Meanwhile, enforcement actions, such as fines for poor cyber hygiene resulting in cyber breaches, could also impact our view of issuer creditworthiness.”

Since much of cyber regulation is relatively new, it remains to be seen to what extent the information produced will prove valuable in assessing credit quality. It is also unclear to what extent fines and the imposition of other costs due to regulatory requests may affect creditworthiness, also because this it will depend on how aggressively regulators enforce the rules.

