Written by Jeff Stone
The Equifax data breach that compromised information on more than 147.9 million people continues to affect the company’s business prospects nearly two years after the incident was publicly announced.
Financial ratings service Moody’s has downgraded its rating for Equifax from “stable” to “negative,” citing a high level of cybersecurity expenses and ongoing litigation following the massive 2017 security incident.
This downgrade, announced Wednesday, marks the first time cybersecurity has been named as a factor in an outlook change, a Moody’s spokesman told CNBC.
Breach litigation and related investigations cost Equifax $690 million in the first quarter this year, according to the report. Analysts predicted the credit-ratings firm will spend an additional $400 million on cybersecurity expenses and capital investments in both 2019 and 2020 before that rate declines to roughly $250 million in 2021.
“The heightened emphasis on cybersecurity for all data-oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company’s profit and free cash flow for the foreseeable future,” the report stated.
Equifax planned to spend $200 million on cybersecurity in 2018, chief information security officer Jamil Farshchi told CyberScoop in July. Investigators determined the hackers, whose identity remains unknown, were able to infiltrate Equifax’s systems because the financial company was relying on outdated software for which a patch was available.
By spending hundreds of millions of dollars on security-related expenses every year, Moody’s says Equifax will have less money to invest in new products that could enhance revenue growth. Meanwhile, rivals Experian and TransUnion have the funds to experiment with new opportunities and take market share, according to the report.
Equifax previously reported a first quarter revenue of $846.1 million, below analyst expectations.
Moody’s, like Standard & Poor’s and Fitch Group, ranks the trustworthiness of companies, bonds, finance transactions and sovereign countries based on the likelihood of investor losses. Cybersecurity has not traditionally been included in the formula that determines a firm’s credit risk, though Moody’s recently said it would begin to include digital risks in its considerations.
It’s an urgent issue. Four sectors with a combined $11.7 trillion in outstanding debt have high risk exposure to cyberattacks, Moody’s said in February.