Mark Begor, CEO of Equifax, testifies during a Senate Homeland Security and Governmental Affairs Subcommittee hearing on Capitol Hill, March 7, 2019 in Washington, DC.
Mark Wilson | Getty Images
Moody’s has just slashed its rating outlook on Equifax, the first time cybersecurity issues have been cited as the reason for a downgrade.
“We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” Joe Mielenhausen, a spokesperson for Moody’s, told CNBC. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
Equifax could not immediately be reached for comment.
The decision is significant because investors increasingly look to ratings firms and insurance companies to adequately predict the longer-term fallout of some of the biggest breaches, a difficult task given the relative lack of historical data on these incidents.
Moody’s cited Equifax’s recent $690 million first-quarter charge for the breach as contributing to the downgrade. The expense represents the company’s estimate for settling ongoing class action cases, as well as potential federal and state regulatory fines.
The note also cited Equifax’s hefty cybersecurity investments as problematic for its future strength.
“We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021,” the note says. “Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach.”
Moody’s also said Equifax may not be alone.
“The heightened emphasis on cybersecurity for all data oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company’s profit and free cash flow for the foreseeable future,” Moody’s said.
The firm recently said it’s working on building cyber risk into its credit ratings, which would put corporations on the hook for their cybersecurity practices. Moody’s has indicated that the types of companies most at risk include financial firms, securities firms, hospitals, market infrastructure providers and electric utilities.
As CNBC previously reported, the stolen Equifax data has never been found and intelligence officials largely believe it has been collected and used for foreign intelligence purposes.