S&P - Companies face cyber threat

CYBER RISK June 9, 2015

1 STANDARD & POOR'S RATINGS SERVICES

Cyber Risk And Corporate Credit OVERVIEW

• A growing threat. Cyber crime costs the global economy upward of $400 billion a year. For corporates it implies rising cyber security and insurance costs and significant event risk. At risk are revenues, profitability, debt levels, intellectual property and reputation.

• Unique risk. Cyber risk has unique traits. Attacks appear random but also highly correlated thanks to global interconnectivity. Multiple points of attack make limiting exposure difficult and reliant on culture and vigilance as well as expenditure. Culprits are many: state proxies, organized crime and corporations seeking competitive advantage.

• Credit impact. Post-attack reparations pose the greatest risk to credit quality in our view, although have been modest so far. Business disruption, adverse legal outcomes and loss of reputation are among myriad potential consequences. The most likely adverse ratings impact would stem from an attack weakening the business profile, most likely in terms of future revenue and profitability, and by causing deterioration in credit metrics.

• Management role. Growing cyber disclosure requirements and the need to safeguard assets mean that management and boards need to ensure adequate preparation.

• Industry risk. High cyber-risk areas highlighted by our sector specialists include payments and financial data (retail and restaurants), intellectual property theft (aerospace and defense, technology) and infrastructure and control systems (telecoms, utilities).

• Inside track. We include a Q&A with Standard & Poor's Ratings Services Chief Information Officer, Thomas Bayer (see page 8).

Under Standard & Poor's policies, only a Rating Committee can determine a Credit Rating Action (including a Credit

Rating change, affirmation or withdrawal, Rating Outlook change, or CreditWatch action). This commentary and its

subject matter have not been the subject of Rating Committee action and should not be interpreted as a change to,

or affirmation of, a Credit Rating or Rating Outlook.

Corporate

Gareth Williams | London +44 20 7176 7226 gareth.williams@ standardandpoors.com Robert Schulz, CFA | New York +1 212 438 7808 robert.schulz@ standardandpoors.com David Tesher | New York +1 212 438 2618 david.tesher@ standardandpoors.com Governance

Laurence Hazell | New York +1 212 438 1864 laurence.hazell@ standardandpoors.com

Cyber Risk And Corporate Credit June 9, 2015


CYBER RISK AND CORPORATE CREDIT

Cyber risk has emerged as a pivotal concern for national and economic security in many countries. It tops the list of threats identified by the 2015 “Worldwide Threat Assessment of the U.S. Intelligence Community," and the U.K. government views cyberattacks on a par with terrorism as a highest-level threat to national security. The estimated total annual cost to the global economy is over US$400 billion.1 For corporate credit it represents a growing source of concern given the increasing frequency of reported incidents, but one which is difficult to assess given uncertainty about the magnitude of risk, the means of limiting such risk, potential financial and reputational damage, and how it might translate to a credit event.

In this article, we tackle three questions:

• What is cyber risk? • How could it affect corporate credit ratings? • Which industries do we consider to be more or less vulnerable at present?

DEFINING CYBER RISK

The London-based Institute of Risk Management provides a useful definition of cyber risk as “any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.” For corporates, those that pose a threat in this regard cover a broad spectrum:

• States and their proxies • Organized criminals • Terrorists • Other corporates - industrial espionage • Campaigners - sometimes known as “hacktavists” • Employees - accidental loss of data, deliberate theft and “whistleblowing” • Vandals and opportunists

Given the highly distributed nature of communication networks and an ever-growing volume of connected devices and data storage locations, points of exposure are widespread and both internal and external. Unlike more traditional forms of crime, it is not always obvious when a crime has occurred and electronic data and communications allow vast volumes of information to be extracted at great speed. At risk is:

• Money • Intellectual property (IP) • Reputation • Disruption to ongoing operations (business continuity) • Data in all its forms including sales data, business and merger plans, employee and

customer financial details and records, intra-firm communications, confidential material etc.

The threat is not restricted to areas of financial transactions and payments processing such as banking and retail. Automated and networked manufacturing processes and transportation systems and the like are also vulnerable, as illustrated by the alleged use of the Stuxnet computer worm by U.S. security forces in 2009-2010 to damage Iranian nuclear centrifuges. In 2014, a German steel mill suffered major damage from an attack on its control systems2. The U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) responded to 245 incidents in 2014, 32% of which were in the energy sector and 27% were in what is categorized as critical manufacturing (see Chart 1). It is no longer the case that industrial control systems can be safely assumed to be closed systems with no point of access for the outside world.

1 Net losses: Estimating the Global Cost of Cybercrime II, June 2014, Center for International & Strategic Studies/McAfee 2 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ Publikationen/Lageberichte/Lagebericht2014.pdf

Cybercrime costs the global economy upward of $400 billion a year

Industrial control systems also at risk



CHART 1 | REPORTED U.S. INDUSTRIAL CONTROL SYSTEM (ICS) INCIDENTS BY SECTOR IN 2014

Source: U.S. Department of Homeland Security, National Cybersecurity and Communications Integration Center, ICS-CERT Year in Review, 2014 (Industrial Control Systems Cyber Emergency Response Team). Shows 2014 incidents reported by sector (245 total).

IP theft and industrial espionage (including loss of sensitive competition data and details of prospective M&A) affect a wide range of industries, particularly those with high-value technology such as aerospace & defense, information technology hardware, software, and pharmaceuticals. A report prepared for the U.K. government in 20113 estimated that the costs of IP theft and industrial espionage for companies are significantly greater than costs of other types of cybercrime.

CYBER RISK AND CREDIT QUALITY: AN IRREGULAR RISK

How could cyber risk affect credit quality? This is a difficult risk to assess for ratings given the following characteristics:

• Limited, asymmetric information with issuers having knowledge of their preparations but limited visibility as to the risks they face.

• A type of risk that is close to being random in occurrence, but also with high correlation risk (if a building burns down, others aren’t at risk unless very close by, whereas the nature of cyber risk means a virtual “fire” in one location can easily spread to almost any other). This is a factor that makes the pooling of cyber risk – something that helps insurers manage many other forms of risk – more difficult.

• An absence of linear risk trade-offs, most crucially in that the amount spent on risk-prevention is no guide as to the relative likelihood of attack, nor of the magnitude of any subsequent damage. There is a “free rider” problem in that money spent by one company on developing risk solutions is likely to benefit others who take no precautions at all. One illustration of this from insurance policies is that the relative cost of the third quartile of risk (relatively risky) versus the first quartile (the least risky) is only 1.7x for cyber risk, versus 2.6x for property and 9.1x for general liability4. In simple terms, underwriters find it harder to differentiate between the magnitudes of cyber risk and to adjust premiums accordingly.

• Similarly, there are only limited patterns in terms of industry, country and size. High-income countries are affected more, given greater target values for criminals. However, differentiating amongst high-income countries is difficult, even when adjusting for possible explanatory factors such as GDP differentials, broadband connectivity or language. McAfee and the U.S.-based Center for Strategic &

3 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf 4 UK Cyber Security: The Role Of Insurance In Managing And Mitigating Risk, HM Government (UK) and Marsh, March 2015

Energy, 79, 32%

Critical Manufacturing, 65, 27%Communications, 14, 6%

Commercial Facilities, 7, 3%

Chemical, 4, 2%Unknown, 6, 2%

Water, 14, 6%

Transportation, 12, 5%

Nuclear, 6, 2%

Info Tech, 5, 2%

Healthcare, 15, 6%

Govt Facilities, 13, 5% Finance, 3, 1%Food & Agric, 2, 1%

Cyber threats have unique characteristics



International Studies estimate5 that the cost of cybercrime in relation to GDP is greater for Ireland than the U.K. and for Germany relative to Japan.

• The risk of attack for smaller companies appears to be slightly less, but not by much. PWC's 2015 survey of data breaches for the UK's Department for Business, Innovation & Skills reported6 that 74% of small businesses had experienced a security breach over the prior year versus 90% for large organizations. Small companies have a different risk profile to large companies – they face less risk of IP loss and espionage, but have weaker data resilience for example.

• There are some predisposing risk factors that make some companies appear more at risk – such as reliance on electronic payment systems, storage of large volumes of personal identifying information – but the ubiquity of mass data storage and network connectivity means that most industries have some form of vulnerability. Given the rapid pace of technological development and the complexity of the systems involved, assumptions about relative vulnerability are highly fluid.

Given the risk profile of cyber risk, we think it is better assessed as a form of event risk. For ratings, the most transparent factors that we can seek to understand are:

• The cost of security measures • The cost of insurance premiums • An assessment of risk preparedness and disclosure • Costs resulting from successful attacks and their impact on cash flow

CYBER RISK AND CREDIT QUALITY: PRECAUTIONARY COSTS

The financial costs of dealing with cyber risk come in two forms: precautionary measures and post-attack reparation.

The cost of precautionary measures has two components:

• Security costs (hiring staff, consultants, purchasing equipment etc) • Insurance premiums for first-party (the company itself) and/or third-party

(customers) cover.

These imply an additional fixed operating-cost, with the largest burden falling theoretically on industries or companies that face (or are perceived to face) the greatest risk of attack, albeit recognizing the difficulties described above in making such distinctions. As a relatively new threat and given sensitivity around cyber threats, specific financial information about the costs of corporate cyber protection is not readily available. That said, no Standard & Poor’s Ratings Services credit action to date has been specifically linked with cyber risks, suggesting that the overall impact has been relatively modest for the time being.

As one illustration of security costs, after the 2012-13 denial-of-service attacks on the U.S. financial sector, JP Morgan announced plans for annual cyber security expenditures of US$250 million by the end of 2014. After the company was directly attacked in 2014, its CEO said7 he would probably double this budget over five years and its recent 10-K (annual report to the U.S. Securities and Exchange Commission) said spending would increase 80% in two years. This 2016 figure is equivalent to 0.8% of 2014 commercial and retail banking revenues. At the macro level, U.S.-based IDC estimate that the global IT security market was US$32.6 billion at the end of 20148. This compares with total revenues for the S&P 500 alone of US$10.8 trillion for 2014. This suggests IT security costs globally are less than 0.3% of revenues, implying a very modest impact on profitability overall.

5 Net losses: Estimating the Global Cost of Cybercrime II, June 2014, Center for International & Strategic Studies/McAfee 6 2015 Information Security Breaches Survey, PWC for UK Department for Business, Innovation & Skills 7 Comments made by JP Morgan CEO at an Institute of International Finance conference, July 2014, that were widely reported in the financial press (for example, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976) 8 IDC WW IT Security Products 2014-18 Forecast

Focus on assessing precautionary costs and event-risk preparation



The cyber insurance market remains relatively new and is provided mainly from the U.S. and, to a lesser extent, the U.K. (Lloyds of London). Marsh estimates that the global value of cyber risk cover amounts to £100 billion (about US$150 billion). The cost of cyber insurance relative to the limit purchased is roughly three times that of general liability insurance, reflecting the degree of uncertainty around risk and how it should be priced. Moreover, in contrast to many other insurance rates, cyber liability rates have been rising steadily, with a sharp increase in the first quarter of this year (see Chart 2).

CHART 2 | CYBER-LIABILITY INSURANCE RATES HAVE BEEN RISING STEADILY

Source: Marsh, Global Insurance Market Quarterly Briefing, Q1 2015

It is important to keep in mind that many companies do not currently have any cyber insurance in place. The Association of British Insurers (ABI) noted at its 2015 cyber risk conference that despite 90% of large UK businesses suffering a cyber-security breach in a 12 month period, only around 10% had any form of cyber insurance. Moreover, many CEOs believe they are covered for cyber risk when they are not. 39% of CEOs for large UK businesses think they are covered9, in contrast to those insurance industry estimates of actual cover. Take-up rates in the U.S. are higher, but still a minority. Marsh reports a cyber-insurance take-up rate among clients across all industries of 16%.

If these figures offer any kind of benchmark, the direct impact on profitability of precautionary measures is currently relatively small but growing. While such costs are likely to continue to rise, given the growing frequency of attack and growing demand for protective policies, we see little evidence that such costs will increase by a magnitude that could have a significant ratings impact in the near term.

At the margin, however, it is possible that a smaller, highly-leveraged company in a relatively vulnerable industry might face cyber prevention costs that could affect financial performance. Should the prevalence of successful and financially damaging attacks grow, then this will inevitably increase the cost of insurance or start to see restrictions on its availability. In the worst case, the frequency and impact of attack could mean that some companies or industries were deemed uninsurable, rendering them much more financially vulnerable.

MANAGEMENT, GOVERNANCE AND DISCLOSURE REQUIREMENTS

The precautionary element of cyber security fits within the scope of Standard & Poor’s management and governance assessments (M&G). These assessments for corporate ratings rank among the modifiers that can raise or lower our anchor (by one or more notches). M&G analysis addresses how management’s strategic competence, risk

9 2015 Information Security Breaches Survey, PWC for UK Department for Business, Innovation & Skills

-10123456789

Q1 2013 Q2 2013 Q3 2013 Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015

All companies Companies - Revenues of $1bn+ Companies - Revenues < $1bn

Quarterly percentage change in US Cyber Liability Insurance Historical Rate (Total Price Per Million Of Cover)

Cyber risk insurance is an evolving market and most companies have no cover



management and organizational effectiveness shape the issuer’s competitiveness in the marketplace, in conjunction with an assessment of the robustness of corporate governance in terms of the leadership provided by executive management and the board of directors.

Across the ratings spectrum, management and board responses to cyber security issues will provide critical ratings-relevant information about issuers’ preparedness for tackling this emerging risk. However, with respect to director oversight we recognize that boards of directors are entitled to rely on management and outside expertise regarding their oversight of cybersecurity. Nevertheless a core function for board members is to employ their own experience and wisdom to ensure minimum damage to corporate reputation, both in terms of ensuring preparedness for, and managing consequences from a cyber incident at the companies where they serve.

We understand that companies may wish to be discreet about the measures they have adopted, given that a statement of strength might be seen as a provocation and incentive to cyber criminals. But for certain sectors a board-level focus on complex and technical cyber issues may become necessary. Consideration may need to be given to board composition in terms of a specialist or specialists with requisite knowledge to help fellow board members with identifying the most sensitive and vulnerable areas of corporate activities – and ensuring that sufficient time and resources at the board and enterprise level are being devoted to cyber risk.

Securities laws are, in part, designed to elicit disclosure of timely, comprehensive and accurate information about risks and events important to investment decisions. There is growing pressure from governments and regulators to improve disclosure of cyber incidents, as part of a broader move to recognize the risks at hand and ensure adequate preparation. Key developments include:

• In 2011, the SEC published Corporate Finance Disclosure Guidance: Topic No. 2 – Cybersecurity. This provides direction as to the disclosure of incidents, risk factors, management processes, and financial statements relating to cyber incidents. The disclosures are not yet compulsory, but pressure to make them so is increasing.

• In 2013, the EU published a Cybersecurity Directive, which is still working its way through the legislative process. It requires companies to adopt risk management policies for network and information security that are of a minimum standard and to report breaches of security to national authorities.

• In 2013, the U.S. president issued Executive Order 13636 Improving Critical Infrastructure Cybersecurity. This takes a voluntary approach, but has brought about the development of a framework for establishing cyber security standards.

New regulations and assessment frameworks like these are likely to offer a way of assessing the degree of corporate preparedness for cyber risks. However, given the nature of the threat, even an excellent level of preparedness is unlikely to be sufficient to avert a successful attack. It may serve, though, to limit legal liability and regulatory repercussions, minimize disruption to business continuity and allow quicker remediation and recovery.

CYBER RISK AND CREDIT QUALITY: LOSSES FROM ATTACKS

In our view, post-attack reparations pose the greater risk to corporate credit quality and, as a form of event risk, carry the most uncertainty. These include:

• Loss of revenue (through, for example, loss of confidence in online platforms, customer anger at data breaches or intellectual property theft).

• Reduced profitability (from higher ongoing protection costs, compensation claims, forensic analysis of breaches, costs of restoring networks etc).

• Loss of cash balances from theft.

Regulatory disclosure requirements for cyber risk are expanding

Post attack costs pose the greatest credit risk



• Higher debt levels (through a need to meet costs/losses or to pay damages in the event of legal action). Legal claims have the most potential to have a devastating financial effect, particularly in litigation-prone countries such as the U.S.

• Reputational damage: at its most extreme this could be so severe - particularly if an attack resulted in loss of life or brought the company into disrepute - that it might prove impossible for a company to continue trading. Recent – disputed - claims that a cybersecurity professional was able to hack into aircraft flight systems via the in-flight entertainment system are an illustration of the wide scope of vulnerability, particularly as more and more devices and modes of transportation are connected to the internet.

However, as for precautionary costs, post-attack costs have proved manageable so far, and have not been severe enough to affect credit ratings. Home Depot estimated the cost of its 2014 data breach - which resulted in the theft of 56 million credit and debit card details and 53 million customer email addresses - to have been US$62 million. This compares with revenues in the year to February 2015 of US$83 billion and operating income of US$10.4 billion.

The costs of data breaches appear to vary by industry. The Ponemon Institute's 2015 Cost of Data Breach Study (May 2015, sponsored by IBM) surveyed 350 companies in 11 countries about the cost and impact of attacks. This is assessed on the basis of "regular" data breaches rather than the most extreme cases (for instance, Sony), as they view this as more representative of the typical attack suffered. It suggests that the costs of lost data are most pronounced (see Chart 3) in health, education, pharmaceuticals and financials. Common to these industries are a greater prevalence of sensitive personally identifiable information.

CHART 3 | CYBER DATA BREACH COSTS BY INDUSTRY (PER CAPITA)

Source: Ponemon Institute & IBM, 2015 Cost Of Data Breach Study: Global Analysis, May 2015

While cyber insurance offers some protection against such costs, it is likely to be only partial recompense in the case of very serious breaches. An example is provided by retailer Target, which suffered a data breach in 2013 that resulted in the mass loss of data, affecting 110 million customers. While settlement of the class-action lawsuit from customers cost US$10 million, other costs – legal, forensic investigation, data and network restoration, compliance with breach notification laws, business interruption, post-breach marketing to restore its reputation – took the total cost to US$252 million. Its cyber insurance policy covered US$90 million, leaving an uninsured loss of US$162 million.

0 50 100 150 200 250 300 350 400

Public sectorTransportation

ResearchMedia

TechnologyHospitality

EnergyConsumer

ServicesIndustrial

RetailCommunications

FinancialPharmaceuticals

EducationHealth

Per capita cost of lost record by industry classification (US$, Global)

Insurance is only a partial recompense for the most serious attacks



Q&A (ABRIDGED VERSION) WITH STANDARD & POOR’S RATINGS SERVICES CHIEF INFORMATION OFFICER, THOMAS BAYER

Clearly, cyber security is becoming increasingly important for companies and governments, and it’s easy to imagine situations where criminal or even state-sponsored cyber attacks would have significant consequences on a corporation or industry, or a country’s economy. Can you give some perspective how serious an issue this is?

Cyber security is extremely serious, and companies, governments – and individuals – need to treat it as such. It’s not just a nuisance issue. There has already been literally hundreds of billions of dollars of intellectual property – and money – exfiltrated from the U.S.

In many ways, companies need to look at cyber security from an accounting perspective. Technology is just the tool to gain information and act as an insider. Beyond the potential reputational hit that companies – retailers, for example – can take, cyber breaches can disrupt business processes or give hackers information that they can sell or trade on.

So, attacks aren’t necessarily – or even often – designed to bring down a company. On the contrary, there’s typically a parasitic relationship that can last for a while. Attacks are meant to disrupt rather than to destroy. If a virus kills its host, the virus dies, too.

What are the methods hackers use?

There are a number of ways attacks can occur. In a simple example, hackers could send false invoices that look official, and so it’s a fairly straightforward accounts-payable issue – not unlike someone stealing your credit card number and running up charges.

On a more sophisticated level, perpetrators try to take over the identities of very senior people at a company and effectively act as that person to exert influence in the company or industry or to gain tradable information. It’s very hard to push back on the CFO or CEO. Companies need to treat the issue as if they’ve got insiders who have gone awry. The difference is that it’s impossible to screen hackers in the hiring or human resources process. So, you’ve done a background check on Tom Bayer – the real Tom Bayer – but you haven’t done a background check on the person acting as Tom Bayer.

How can companies better protect themselves?

The real key is not keeping them out, but realizing they’re in. Toward that end, companies should conduct self-assessments, bring in proper technical expertise to consult, and make sure they’re up to the proper level – particularly relative to competitors in their industry. Almost nobody has the proper protections.

Firewalls generally do more to interfere with legitimate users than to stop hackers. Companies need a depth of defense – they shouldn’t just architect a classic defense like a firewall or intrusion detection measures and expect that to be sufficient. They also need to look at what’s happening to the business process – again, treating this as an accounting issue as much as anything else – and continue to patch their vulnerabilities. Companies too often take too long to patch when they identify a vulnerability.

Also, when perpetrators attack an industry, they attack everybody – so weaknesses are widespread. It helps to join industry associations and learn from rivals and others in a peer group. There are industry niches among various groups of hackers, and each industry has specific vulnerabilities.

What are some examples of “tradable information?”

A good example involves patents, simply because the process to get a patent differs from country to country, which makes it all the more vulnerable to exfiltration. Another example would be knowledge of a country’s imminent awarding of a contract to a company that could, say, move the price of a particular commodity in one way or another. Certainly, knowledge of that could be very profitable.

With regard to hacking against governments, a lot of the information – for example, court cases, insider-trading investigations, employment reports – is marketable in some way. And hacking into central banks’ databases is a major issue because of the money and accounts they control.

At the same time, just taking down a government website is a sort of political victory. It’s a source of pride and notoriety, which gets them in the news, raises their street cred, and enables recruiting. It’s important that governments continuously monitor their systems and accounts. They need to take the time to understand the overall cyber threat, and what could happen after a breach – how could it affect the trading of bonds, etc.

State-sponsored hackers and groups sympathetic to certain countries typically increase their activities when, for example, sanctions are put in place against the country – so other countries should be particularly vigilant when such things are going on. As it is, most government primary web sites are very well-protected.

How do companies disclose incidents or the risks they face?

For publicly traded companies, if a breach has a material impact (as determined by the company) on its finances, the company must disclose it, as per the SEC’s Disclosure Guidance.

It’s important for companies to engage with an accounting firm and their legal teams to see if the threshold for reporting has been met. As it stands, there have been about 1,000 such disclosures in the U.S. already.

Interviewer: Joe Maguire. Tom Bayer is Chief Information Officer for Standard & Poor's Ratings Services. Previously he held the same role for the U.S. Securities and Exchange Commission (SEC). Other prior roles include President and CEO of Maris Technology Advisors, Chief Operations Officer and Chief Technology Officer at Brand Informatics, Chief Information Officer for CapitalOne's European IT infrastructure and Founder and President of Inteliguard Corporation.



Comments from the CEO of U.S. insurer AIG10 suggest that the maximum amount insured by any one company (a bank) is US$400 million. Most large corporate cyber insurance policies have a maximum value in the US$100 million-US$200 million range. Cyber insurance clearly has a valuable part to play in offsetting cyber risk, but even if coverage levels were to rise sharply, it is only a partial limitation to worst-case risk.

One important issue in assessing costs is the question of how persistent customer reaction is. In the case of Home Depot discussed above, there was little evidence of persistence despite widespread media coverage. The reduction in sales after its breach proved short-lived and there appeared to be limited long-term reputational damage.

The Ponemon survey suggests that customer retention varies by country and industry, with France, Italy, the U.K. and Japan seeing the greatest loss of customers and Canada, India and Brazil the least. Industries worst-affected are health, pharmaceuticals and financial services, again reinforcing the view that losses of sensitive personal information are most damaging in terms of reputation and compensation cost. Switching costs are also relevant here in that it is relatively easy and costless to avoid a given retailer if they appear vulnerable, whereas switching banks or utility providers can be time consuming and sometimes costly.

Even though there are few examples of long-term reputational damage, we think it appropriate to assume that the risks here are rising. In particular, repeat offenders are inevitably most at risk of suffering lasting reputational damage and higher security and insurance costs, and of being forced into expensive efforts to rebuild confidence.

INDUSTRY HEATMAP

To gauge relative cyber risk across industries, we surveyed our U.S. industry sector specialists and asked them to categorize the current threat level as high, medium or low based on their views of the characteristics of the industry (see Chart 4 and Table 1 in the appendix for the detailed evaluation). The themes that dominate the high-risk group include extensive use of payment processing systems and personal financial data (retail, restaurants), valuable intellectual property (aerospace & defense, technology) and infrastructure and control system attacks (telecoms, utilities). The industries perceived to be less vulnerable tend to have lower value-added or commoditized products – lessening IP risk – and limited network connectivity (for example mining and forest products).

CHART 4 | HEATMAP OF SELECTED INDUSTRY THREAT RISK FROM CYBER ATTACK

Source: Standard & Poor’s Ratings Services. Estimate only, based on survey of U.S. sector specialists, May-June 2015.

10 http://www.ibamag.com/news/there-isnt-enough-cyber-insurance-capacity-says-aig-ceo-22025.aspx

Auto OEM

Branded Nondurables

Capital Goods

Chemicals

Aerospace & Defense Consumer durables Agribusiness & Foods

Cable Engineering & Construction Auto Suppliers

IT Hardware & Semiconductors Healthcare Services Building Materials

Media & Entertainment Leisure Forest & Paper Products

Regulated Utilities Midstream Energy Healthcare Equipment

Restaurants Oil & Gas Homebuilders & Developers

Retail Pharmaceuticals Metals & Mining

Software & Tech Services Transportation (Cyclical) Railroads & Package Express

Telecoms Unregulated Power & Gas Transportation (Leasing)



CONCLUSION – ASSESSING THE GROWING CYBER THREAT

The threat posed to the corporate sector from cyber crime is substantial, widespread, and growing. Ever greater use of networked technology, devices, and communications has brought substantial benefits through efficiencies and growing markets. The downside appears to be heightened vulnerability to a form of attack that can have a devastating effect on data integrity, and consequently threaten revenues, profitability, debt levels, and reputation.

The nature of cyber risk means that it is particularly difficult to defend against on all possible fronts through which it could emerge. Few companies could claim to be entirely secure. We think it likely that most companies will have to start paying or spend more on the additional fixed costs of IT security and, potentially, cyber insurance policies. For the moment, however, the magnitude of such costs appears relatively small in relation to revenues and unlikely to adversely affect credit ratings.

Growing regulatory requirements around the disclosure of cyber attacks and emerging benchmarks for IT risk management will require increased attention from management and boards of directors. It is likely to play a growing role in our management and governance assessments that rank among modifiers that can raise or lower our anchor.

Given a severe enough incident, a cyber attack could potentially have credit rating consequences, most likely through weakening the business profile in terms of future revenue and profitability and by causing a deterioration in credit metrics. Post- attack costs have come in many forms – lost revenues, compensation costs, fines for regulatory breaches, legal action, and marketing efforts to restore reputations. These can add to substantial sums, and a company that suffers repeated cyber breaches would no doubt see costs multiply rapidly.

To help gauge the threat on an industry-by-industry basis, our sector specialists have categorized the current threat level in terms of high, medium, and low. The common threads to high-risk industries are extensive use of payment processing systems and personal data, highly valuable intellectual property and data, and infrastructure and control systems that are being regularly probed for vulnerabilities. Low value-added or commoditized products and limited network connectivity characterize lower-risk industry exposures.

RELATED RESEARCH

• “Financial Services Creditworthiness Resilient To Cyber Security But For How Long?”, June 9, 2015

• “Cyber Insurance Product In Early Stages Of Evolution”, June 9 2015



APPENDIX: INDUSTRY RISK SURVEY

TABLE 1 | U.S. SECTOR SPECIALIST SURVEY - CURRENT ESTIMATED INDUSTRY THREAT FROM CYBER ATTACK

Industry Threat Risk Comment

Aerospace & defense High Defense contractors have sensitive info and have been target of (apparently) foreign countries. Agribusiness and commodity foods Low Not a lot of proprietary products. Some risk to production downtime. Auto OEM Medium Trade secrets and manufacturing expertise are important and automakers operate in many countries where IP security risk is high. Auto suppliers Low Some technology, and as with automakers, theoretical production downtime from op disruptions. Branded nondurables Medium Product innovations is key--could take trade secrets, companies could face production downtime. Building materials Low Not a lot of sensitive financial information or intellectual property. Capital goods Medium Threat most relevant for finance departments; high-profile names in the sector. Manufacturing process or disruption risk similar. Commodity chemicals Low Widespread production, possible trade secret concerns; production disruption for economic gain is possible risk. Consumer durables Medium Product innovations is key--could take trade secrets, companies could face production downtime. Engineering and construction Medium Have design info on infrastructure, including nuclear; credit risk seen as akin to other multinationals. Forest and paper products Low Not a lot of sensitive financial information or intellectual property. Health care services Medium Extensive use of personal information has drawn interest from hackers. Homebuilders and developers Low Possibly some sensitive financial information (in captive finance subsidiaries), but no significant intellectual property. Leisure and sports Medium Most at-risk information is customer data -- including credit-related data at gaming companies and lodging. Gaming companies with high

profile CEOs could be targets of politically motivated hacks, but those are likely to be more infrequent. Media and entertainment High See Sony as an example -- mitigants include size and scale of major media companies (individual films and TV shows are leaked all the

time but impact from that is marginal). For some businesses, like Netflix, an all-out attack could have significantly more impact. Metals and mining downstream Low Some high-profile international firms, but sector is mostly smaller companies. Metals and mining upstream Low Pure commodities, some international exposure. Midstream energy Medium Companies continue to invest in technology to manage cyber risk because crude oil spills or explosions as a result of a threat would be

very damaging to a company's reputation. Oil and gas drilling, equipment and services

Medium If outsiders are after technology, same means to an end can be accomplished by acquiring companies.

Oil and gas integrated, exploration and production

Medium Any attacks are aimed at drilling plays to probably understand the reserve dynamics, geology, technology utilized.

Oil and gas refining and marketing Medium Refineries are highly dependent on network infrastructure and systems to ensure the safe and reliable operation of the refinery asset. Refineries invest extensively in proprietary systems to safely operate the assets and prevent security breaches. The risk is somewhat elevated due to the service that refineries provide, and any failure of the systems could have credit consequences because a breach will most likely mean that an asset is down for an extended period of time.

Pharmaceuticals Medium Pharmaceutical companies are not necessarily a high level target, though they do have large amounts of proprietary data – clinical trial data/results, patient information from clinical trials, pricing strategies, cost data, legal/litigation strategies, and intellectual property. However, would be hackers would have to have very specific reasons to seek data. Reputational risk may be high though given profile of larger pharma companies and need for consumer trust

Railroads and package express Low Lower-profile targets than most, incentive unclear. Regulated utilities High We distinguish between two types of attacks/credit risk. For system attacks (electric utilities mostly), credit risk is low as long as we

think utilities are managing the risk of attacks, and all signs are that they are. That risk is industry-wide (the grid is literally interconnected) and is being addressed industrywide. For attacks on individual utilities to access customer data, we think the risk is a little more elevated because a breach could harm the utility’s reputation more than most companies (because utilities are quasi-public and hold a certain amount of “public trust”), and that harm could translate into regulatory risk if the regulator thought the utility hadn’t done enough to protect its customers.

Retail and restaurants High As a repository of financial and personal data, the retail sector has been a successful repeat target. Post-attack responses (monitoring, new credit cards, and increased security), along with retailers' financial resources have kept rating actions at bay for now.

Specialty chemicals Low Some higher-end chemical compositions that could be of value, but not a high-profile segment for targeting. Technology hardware and semiconductors

High Risks to hardware companies is largely for theft of IP, which companies take significant measures to protect; reputational risks are typically managed and monitored through appropriate software

Technology software and services High Software companies and their products are a constant target of online hackers; Risks are comparatively lower for enterprise software versus service/consumer software companies; most software companies have ongoing and complex measures to mitigate cyber risk, and the credit impact for large companies, in particular, is manageable given significant diversity, size, and ongoing multilayered strategy to monitor and mitigate this risk (e.g. Microsoft constantly faces cyber attacks); IT service companies and companies with "software as service" business models (as opposed to "software as license," an increasing trend) rely on data centers and are exposed to ongoing hacking risks that might affect their operations (however, this is a smaller part of their business today)

Telecommunications and cable High Hackers constantly target telecom, cable, and data center companies for access to enterprise and government networks and sensitive consumer and business information; types of hackers include strategic and criminal; risks are theft/breach of private customer information and to a lesser extent issuer's network operations; with networking and communications moving to mobile and cloud, the risks are increasing; mitigants include increased awareness and layered security control protocols/active monitoring, size and diversity of networks, operations and customers.

Transportation (cyclical) Medium Airlines are visible, operate complex systems using IT and could be disrupted by malicious attack, perhaps less so for financial incentive. Less risk for trucking, shipping.

Transportation (leasing) Low Low profile; systems well monitored. Unregulated power and gas Medium We believe an attack on a major asset, specifically a nuclear unit, is less likely to be successful as protection (firewalls) are typically

strong for such sensitive and strategic facilities. However, a successful breach at an individual company would potentially result in higher costs for all companies as the grid is interconnected. This sector could be disrupted by an attack but financial incentives for an onslaught on these infrastructure assets (as compared to retailers) are low for cyber hackers.

Source: S&P Ratings. Estimated only. Survey conducted May to June, 2015.



Copyright © 2015 by Standard & Poor's Financial Services LLC. All rights reserved.

No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an "as is" basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P's opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription) and www.spcapitaliq.com (subscription) and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.