Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Moody's Changes Equifax's Outlook to 'Negative'

First Time a Data Breach Triggers a Moody's Financial Outlook Change
Moody's Changes Equifax's Outlook to 'Negative'

Moody's Investors Service has changed its financial outlook for Equifax to "negative" from "stable," reflecting concerns about how the credit reporting giant is recovering from the 2017 data breach that exposed the personal information of 148 million Americans.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Moody's reports that this is the first time that concerns over a cybersecurity event led it to change a company's outlook.

The Moody's revision comes a few weeks after Atlanta-based Equifax announced its financial results for the first quarter of 2019. In that report, the company revealed that it has spent $1.4 billion on post-breach costs so far, including overhauling its information security program (see: Equifax's Data Breach Costs Hit $1.4 Billion).

Equifax's post-breach costs are expected to be substantial over the next three years, according to the Moody's analysis. The report predicts that the company will spend $400 million on cybersecurity expenses and capital improvements in both 2019 and 2020, plus another $250 million in 2021.

"Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach," according to Moody's. "The heightened emphasis on cybersecurity for all data-oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company's profit and free cash flow for the foreseeable future."

A Wake-Up Call

The fact that Moody's is willing to consider cybersecurity as a major factor in its financial outlook for a company is as a wake-up call for businesses and their boards of directors, says Steve Durbin, the managing director of the Information Security Forum, a London-based not-for-profit organization.

"This will undoubtedly send a clear and direct message to the board of directors, and the C-suite, in a way that will be easily understood," Durbin says. "Cyber risk is essential to business risk, and the implications of a data breach, or loss of data, can have a significant impact on an organization. For the cybersecurity industry, this supports what I have been advocating for some time - that cybersecurity is a business issue and must be taken seriously by boards."

Joe Mielenhausen, a spokesperson for Moody's, notes: "We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change," according to CNBC.

In a statement provided to Information Security Media Group, an Equifax spokesperson notes that Moody's did not change the company's credit rating, only revising the financial outlook. Equifax will continue to invest in its business and technology, the spokesperson says.

Moody's long-term credit rating for Equifax is Baa1, which means the company is a moderate credit risk.

The Moody's report acknowledges that Equifax remains a dominant force in the consumer credit rating market, along with Experian and TransUnion, its two largest competitors.

"Equifax remains solidly investment grade and the revision in Moody's outlook will not impact our internal investments, including new products, our $1.25 billion EFX2020 technology and security advancements, or future acquisitions," the Equifax spokesperson says. EFX2020 is a company initiative to invest in security and technology, while driving growth, according to the company's investment relations plan.

Ongoing Fallout

The 2017 Equifax breach exposed the personal information of about 56 percent of all American adults, as well as others in Canada and the U.K. The incident has spawned several investigations of the company, which found that Equifax's failure to patch a vulnerability in the Apache Struts open source web application framework allowed attackers to find their way into the network and steal personal data (see: Equifax's Colossal Error: Not Patching Apache Struts Flaw).

A recent report released the U.S. Senate Permanent Subcommittee on Investigation found that Equifax failed to follow its own cybersecurity policies, including those prescribing how and when to patch critical software vulnerabilities (see: Congressional Report Rips Equifax for Weak Security).

In addition, company executives did not prioritize security, and many key decisions were left to lower-level IT employees, the Senate report found.

Similar investigations by a House committee and the Government Accountability Office found that the Equifax breach was preventable.

Equifax signed an agreement with Canada's privacy commission to provide more information, including audits. In the U.K., the company was fined the equivalent of $651,000 as a result of the breach.

Meanwhile, the company is facing a slew of consumer lawsuits. In its recent quarterly report, the company notes that it's sorting through more than 1,000 individual consumer actions, including lawsuits seeking class-action status, in U.S. state and federal courts.

Political Issues

And the Equifax breach has become a political issue as well.

Democratic presidential hopeful Sen. Elizabeth Warren, D-Mass., along with Rep. Elijah Cummings, D-Md., commissioned a GAO report that recommended that if the government wants to do more to protect consumers, the U.S. Federal Trade Commission should have the ability to impose greater civil penalties against consumer reporting agencies, including Equifax (see: GAO: Equifax-Like Breaches Require Greater Civil Penalties).

Warren also has introduced legislation that would pave the way for top executives at major corporations to face criminal charges if their company's wrongdoing leads to harm, such as a major data breach (see Sen. Warren Wants CEOs Jailed After Big Breaches).

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.