Cybersecurity disclosure and regulations could either spur a positive credit environment or cause unintended consequences if not well managed, according to Moody’s Investor Service.
Moody’s analysts said that a rise in cybersecurity disclosure is credit positive as it helps to improve information transparency on the scope of cyberattacks, while public reporting on attacks could inform hackers with details and cause further harm. Analysts added that the compliance burden of cybersecurity regulations could also add financial costs for companies.
Governments and regulators have imposed more regulations and disclosure requirements under an increasingly complicated cyber landscape, particularly in light of high-profile attacks, such as the SolarWinds hack in 2020. In the U.S., the Securities and Exchange Commission proposed new rules in March to enhance security incident disclosures. Policymakers in the European Union, Canada, and India have also taken action to strengthen disclosure regulations.
Gerry Granovsky, senior vice president at Moody’s, told SC Media in an interview that his analysts are looking closely at the impact of these regulations and legal actions on companies’ creditworthiness.
“Significant regulatory or legal action will impact the rating,” Granovsky said.
He noted that Moody’s is paying particular attention to the European Union’s General Data Protection Regulation (GDPR) and recognizes it as a constraint of technology companies’ credit scores.
Over the past few years, Europe has gotten serious about data privacy, with tech giants being warned and penalized for failing to comply with GDPR. Just this week, German data protection regulators reported that Microsoft’s product “remains in breach” of the GDPR, while Meta was fined $277 million for failing to protect users’ data by the Irish Data Protection Commission.
According to Granovsky, Moody’s has yet to observe any significant regulatory moves that affect companies’ credit rating directly but noticed that the GDPR regulation — in which companies are mandated to keep their data for an extended period — has increased the operational cost of major cloud companies.
“You will start to see more expenses related to the European operations. So, what can [these companies] do?” Granovsky said. “They raise the prices.”
While those companies can raise prices to overcompensate for the cost, it is unknown whether GDPR requirements will impact their financial performance in the long run, which will affect their credit scores.