U.S. cyber regulations could be “credit positive” for companies in 2023: Moody’s

U.S. efforts to crack down on ransomware and mandate companies report cyber incidents could end up being a “credit positive” next year, according to Moody’s 2023 cyber outlook shared first with Axios.

Why it matters: A rise in cyberattacks in recent years has caused headaches for businesses as they face high price tags to recover from attacks — and potentially see their creditworthiness hurt following an incident.

The big picture: Credit raters and analysts have started factoring histories of cyberattacks into decisions about whether a company will be able to repay their debts, per the Wall Street Journal.

• If a company handles a cyberattack poorly, they risk facing a lower credit ranking, signaling that a company might not be able to make necessary payments.

Details: U.S. actions to sanction ransomware actors, target the servers those ransomware operators work on and enact new cyber incident reporting laws could reverse this trend and create a “credit positive” environment in 2023, analysts at Moody’s told Axios.

• Ransomware efforts have started to dissuade attackers from targeting U.S. companies, and incident reporting laws will “help raise a baseline set of information about the scope of cyberattacks,” the report notes.

Between the lines: For ransomware, the U.S. is benefiting while organizations in Europe and South America will take a hit as ransomware gangs hone in on them.

• “This shift will be credit positive for U.S. issuers experiencing a relative reprieve from attacks but negative for issuers in regions with an uptick in ransomware incidents,” the report notes.

Yes, but: Moody’s outlook could change depending on how exactly new laws and regulations are implemented.

• Various government agencies — including both CISA and the Securities and Exchange Commission — are currently working on proposals to set up their own reporting requirements. But, as they stand right now, each one has different deadlines and requirements for the incident reports.
• Whether these efforts can be harmonized will play a huge role in whether they hurt a business’s creditworthiness in the future, said Gerry Granovsky, senior vice president of Moody’s cyber risk group.

The bottom line: Creditors are hopeful that government attention to cyberattacks could help offset some of the financial turmoil these incidents have caused businesses.

Sign up for Axios’ cybersecurity newsletter Codebook here.