While affirming Equifax’s senior unsecured rating at Baa1 and short-term rating at Prime-2, Moody’s Investor Services downgraded the company’s outlook from stable to negative due to the 2017 cyber-attack.
“The outlook revision to negative reflects weaker operating performance and credit metrics than originally expected following the cybersecurity breach in 2017,” the May 17 rating action notice stated.
"Free cash flow may remain around only $150 million per year for a few years, or less than half of annual free cash flow prior to the breach," said Edmond DeForest, Moody's vice president and senior credit officer. "Diminished free cash flow limits Equifax's ability to reduce its financial leverage," he continued.
Infosecurity Magazine reached out to Equifax for comment in reaction to the news that was reported May 23 by CNBC. An Equifax spokesperson wrote in an email, “Moody’s affirmed our Baa1 senior unsecured rating and the short-term rating at Prime-2. Any questions about the outlook change should be directed to Moody’s. EFX remains solidly investment grade and the revision in Moody’s outlook will not impact our internal investments, including new products, our $1.25bn EFX2020 technology and security advancements, or future acquisitions.”
According to CNBC, a Moody’s spokesperson said the downgrade is significant because “it is the first time that cyber has been a named factor in an outlook change.”
The news isn’t all that surprising to industry experts who have long been saying that cybersecurity is a boardroom issue. “Everyone is in business with a single goal, which is to make money. This includes the bad guys, except that they want to make their money by preventing someone else from doing the same,” said Laurence Pitt, strategic security director, Juniper Networks.
Because cyber-risk is integral to business risk, boards will likely see this downgrade as a clear message in a language they can understand, said Steve Durbin, managing director of the Information Security Forum.
“For quite some time, I have been encouraging both the insurance industry and credit rating agencies to take cyber risk into account when setting policy pricing and assessing company value. Moving forward, this should become the norm since cyber-risk is so integral to business risk that an assessment of business health without taking cyber risk and a company’s resilience into account will become meaningless. For the cybersecurity industry, this supports what many have been advocating for some time – that cyber is a business issue and must be taken seriously by boards.”