A major credit rating agency is warning that ransomware attacks can not only lead to outages and downstream infection of a victim’s customers, it can also have a material impact on the credit of entire industries.
Fitch Ratings, one of the “big three” credit rating agencies along with Moody’s and S&P, is pointing to a recent ransomware attack on Cloudstar as a close call for the title insurance industry and a cautionary tale for the risks of one industry relying on a single IT or security provider.
On July 16 Cloudstar announced it was experiencing “a service interruption which is affecting a portion of our customers.” Two days later, they confirmed that they had been hit with a ransomware attack and their systems were currently inaccessible, though they also stated that their Office 365 email, email encryption offerings and some support services were still “fully operational.”
The attack is still ongoing, and Cloudstar said on July 20 that it is still “very much so in the containment and remediation phase” and are investigating the scope of the damage to their systems and customers.
"We are meticulously scanning our systems to determine exactly which ones were impacted by malware, and which ones may still be viable and/or clean to bring back online,” the company said July 20. “We have also been staying in close contact with law enforcement and working with our customers to relay as much information as possible to help them meet their business needs and make go-forward decisions that are in their best interests and that of the industry’s.”
Fitch notes that Cloudstar’s hosting services are used by a large number of title agents and businesses providing settlement services. Both provide “ancillary” but important services to title insurance industry, and the disruption is expected to cause delays, but not cancellations, within the broader title insurance industry. In a July 18 statement titled “Closings in Jeopardy as Cloud-hosting Vendor Suffers Ransomware attack," the American Land Title Association claimed that Cloudstar operates six U.S. data centers serving 42,000 users and said “several software vendors and title companies are offering their expertise and services to help ensure deals continue to close” in the meantime.
“Affected title and settlement companies should contact regulators in the states they conduct business,” the ALTA advised. “The same companies also should contact their cyber insurance providers.”
Fitch doesn’t rate Cloudstar, and based on what’s known so far it isn’t likely to treat the attack as a material credit event affecting the broader title insurance industry. However, that outcome could have been more likely had the disruptions led to policy cancellations, and the episode underscores the broader risks of players in an industry creating a single point of failure by relying too heavily on one piece of software, hardware or service.
“It used to be that [businesses were mostly concerned with] idiosyncratic risks, you only worried about your company. That’s moved to your supply chain and tier one vendors but now again as people go to these tier one vendors, they create this bigger source of risk,” said Gerry Glombicki, a director at Fitch Ratings, in an interview with SC Media. “You can’t control what your competitors do or what they pick, but as they pick the same things you do, you’re all going to become more of a target and it’s one of these extra layers of cybersecurity that management now has to be concerned about.”
Glombicki said attacks like those on SolarWinds, Microsoft Exchange servers, Kaseya and Pulse Secure VPNs all represent similar single points of failure that carry the potential to create a broader credit impact on an industry depending on how reliant they are on those services and the downtime it causes.
Those risks can be even more pronounced when the attack is geared towards cloud providers like Cloudstar, Google or AWS that are hosting and managing an increasingly large chunk of the economy’s IT systems and assets.
“When these companies go down, that causes a disproportionate effect. If I were to attack company X alone, it takes a lot of time, money, effort and energy to do that,” said Glombicki. “If you can do it to cloud provider who hosts all these services, then you can actually cascade these effect down, and it becomes a force multiplier when you target these single points of failure.”
How much would something like that impact an industry’s credit posture and for how long? Each attack would have its own unique scope of damages and supplier ecosystem, so the impact in each case can be hard to predict. But Glombicki said anything that leads to prolonged outages, downtime, or serious service disruption within an industry could carry “significant” credit implications.
“Ransomware in general, they take roughly 28 days give or take to resolve. If you’re without your system completely for 28 days and there are no backups and no alternatives, that’s a rather big credit event,” he said. “In theory a company could potentially become insolvent in that timeframe if they can’t access or service their clients in any way for almost a month.”