Compliance Management, Data Security

Here’s how breach disclosures could impact company credit ratings, says Moody’s

Gerry Granovsky, senior vice president at Moody’s, told SC Media in an interview that his analysts are looking closely at the impact of regulations and legal actions on companies’ creditworthiness. (Image credit: INDU BACHKHETI via Getty)

Cybersecurity disclosure and regulations could either spur a positive credit environment or cause unintended consequences if not well managed, according to Moody’s Investor Service.  

Moody’s analysts said that a rise in cybersecurity disclosure is credit positive as it helps to improve information transparency on the scope of cyberattacks, while public reporting on attacks could inform hackers with details and cause further harm. Analysts added that the compliance burden of cybersecurity regulations could also add financial costs for companies.  

Governments and regulators have imposed more regulations and disclosure requirements under an increasingly complicated cyber landscape, particularly in light of high-profile  attacks, such as the SolarWinds hack in 2020. In the U.S., the Securities and Exchange Commission proposed new rules in March to enhance security incident disclosures. Policymakers in the European Union, Canada, and India have also taken action to strengthen  disclosure regulations.  

Gerry Granovsky, senior vice president at Moody’s, told SC Media in an interview that his analysts are looking closely at the impact of these regulations and legal actions on companies’ creditworthiness.  

“Significant regulatory or legal action will impact the rating,” Granovsky said.  

He noted that Moody’s is paying particular attention to the European Union’s General Data Protection Regulation (GDPR) and recognizes it as a constraint of technology companies’ credit scores. 

Over the past few years, Europe has gotten serious about data privacy, with tech giants being warned and penalized for failing to comply with GDPR. Just this week, German data protection regulators reported that Microsoft’s product “remains in breach” of the GDPR, while Meta was fined $277 million for failing to protect users’ data by the Irish Data Protection Commission.  

According to Granovsky, Moody’s has yet to observe any significant regulatory moves that affect companies’ credit rating directly but noticed that the GDPR regulation — in which companies are mandated to keep their data for an  extended period — has increased the operational cost of major cloud companies.  

“You will start to see more expenses related to the European operations. So, what can [these companies] do?” Granovsky said. “They raise the prices.”  

While those companies can  raise prices to overcompensate for the cost, it is unknown whether GDPR requirements will impact their financial performance in the long run, which will affect their credit scores. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.