There are perhaps two pieces of news that have impacted the world of ITAM most this year – early in the year we had Oracle’s announcement that it was switching Java licensing to an employee metric. Then in August, the credit ratings agency S&P Global Ratings published a report which stated publicly and boldly, that S&P considers a company’s ITAM credentials as foundational to effective cyber security. Its absence at an organisation can be indicative of flawed cyber-risk management and could weigh on S&P Global Ratings’ view of an entity’s creditworthiness. This story was massive with our audience. It is hard to think of a conference or webinar since where this story was not discussed at great length. At the time we described it as a “golden ticket to ITAM professionals everywhere,” because it was the strongest, single piece of evidence to demonstrate the importance of ITAM to a company’s bottom line. Every executive understands that a downgrade from S&P could be devastating – so the message is clear, don’t skimp on ITAM!
Given the impact of the story, we reached out to the report’s authors to learn more about their motivations for writing the report, and how they measure ITAM within their methodology. We spoke with Paul Alvarez, Cyber Risk at S&P Global Ratings, and Raam Ratnam, Managing Director – Sector Lead, EMEA Retail & Consumer at S&P Global Ratings.
Cyber security is of big interest to investors in the market, so it is something that S&P continues to share its insights about. This was however the first report that specifically called out ITAM as a component of cyber risk.
Paul Alvarez: This isn’t the first report we have written about cyber risk. We have done some recently about regulations and detection for example. This report was written in this same vein of identifying some of the fundamentals about cyber security and our views on how those may or may not impact a company’s credit rating.”
S&P is very transparent about its ratings framework – the methodology it uses to determine a company’s credit rating. As a credit ratings agency, S&P’s analysis boils down to the impact of any event solely on a company’s financial viability. This helps it to see past the noise and focus on fundamentals.
Raam: “We want to be transparent about how our ratings are constructed. Being open about our credit rating methodology is at the core of what we do. When we look at the rating of a company we look at the business risk, which itself is comprised of many underlying factors like operational efficiency, profitability, competitive advantage and the scale, scope and diversity. We also look at the financial aspects of the company, taking account of factors like liquidity, capital structure, how it’s funded, cash flows etc. Our risk modifiers take account of management and governance, which is where cyber risk management and ITAM comes in.”
The S&P Global corporate ratings methodology has been around in its current form since at least 2013, albeit with a few updates along the way.
The flow chart below explains the S&P methodology for credit ratings for companies. Cyber risk (and subsequently ITAM) can impact many areas but is mainly evaluated under the Management and governance modifier.
Cyber risk is something S&P has been monitoring for some time, but as a topic it is becoming more relevant and widespread in its reporting. “For us we see cyber risk management as a demonstration of how a company manages contingent risk. For many companies the risk is here and is becoming more widespread, as we see more and more companies suffering from cyber incidents. On the broader topic of cyber we have therefore increased our level of vigilance,” commented Raam.
In assessing a company’s cyber risk preparedness, S&P refers to the National Institute of Standards and Technology (NIST) framework, where it expects companies to put in place appropriate levels of defences to address each of the following NIST framework functions:
It is here where you can see ITAM plays a role as a reflection of management and governance.
Despite the growing focus on cyber risk and its subsequent importance in a rating, Raam was keen to explain that even a significant data breach won’t necessarily cause a downgrade to a company’s rating if their credit fundamentals remain strong. While it might make for some devastating headlines and a drop in stock price, if S&P deem that the event will not directly affect the company’s ability to service its debts, then the credit rating will remain unchanged. That is not to say it does not play a contributing factor to a credit rating though. Citing a recent S&P report of 75 companies that had suffered cyber incidents, Raam highlighted that while no single incident had a direct impact on any of the company’s ratings in those instances, cyber risk still remains a contributing factor to their rating.
More recently in the case of U.S.-based Clorox Co., the consumer goods company faced operational disruptions on account of a cyber-attack. S&P Global affirmed its ratings because it believes that Clorox will recover nearly all of its lost distribution and market share. However, S&P Global revised its outlook to negative from stable, reflecting the potential for a lower rating if Clorox does not demonstrate material sequential recovery in 2024 from the recent cyberattack.
While S&P clearly state that ITAM is a foundational factor to effective cyber security, which can impact a rating, we quizzed Paul and Raam on whether a financial penalty following an audit could have any impact on a rating. Here the link was less direct due to the financial cost being largely insignificant when weighed up against a company’s overall financials. As painful as an unbudgeted software cost can be to an individual department, the cost is never enough to be an existential threat to the company’s existence.
Raam and Paul reiterated that ratings are primarily determined by several business and financial risk factors – everything boils down to the severity of the business or financial impact at some point. This is why, even in the era of ever-increasing fines for cyber security or data protection failures, even the hardest hit companies have not received a downgrade to their rating purely on account of the cyber incident… yet. If an organisation has multiple billions in cash and even more billions in debt that they’re able to service, then even mega million audit penalties may not materially weaken the company’s credit ratios or liquidity. However, S&P Global notes that, given the scale and extent of business disruption arising from some recent cyber events, the financial impact is becoming more meaningful and can lead to lower financial headroom under the credit metrics.
“While cyber incidents have not weakened business or financial risk profiles or directly resulted in negative rating actions, they increasingly have the potential to erode credit quality, accentuate other credit risks, and put downward pressure on credit ratings over a period of time.”
The S&P Global Ratings’ recognition of ITAM as a component of cyber risk and its link to credit ratings highlights the growing importance of robust ITAM practices for companies. It is clear that effective ITAM is perceived as a reflection of a company’s risk management capabilities. The absence of ITAM can create gaps and blind spots in organisations’ cyber risk management, which can lead to increased vulnerability, compliance issues, inefficiencies, and sub-optimal incident response. Ineffective ITAM can also create similar issues, and as a result can be a gateway to security incidents.
For IT Asset Management professionals, this underscores the critical role they play in enhancing a company’s overall risk management strategy. The S&P methodology, which considers factors like operational efficiency, competitive advantage, liquidity, capital structure, and governance, emphasizes that ITAM is integral to sound management practices. The National Institute of Standards and Technology (NIST) framework referenced by S&P reinforces the need for companies to identify, protect, detect, respond, and recover from cyber risks, with ITAM playing a crucial role in the management and governance aspects.
In conclusion, you should leverage the S&P report to reinforce the importance of ITAM within your organisation. Emphasizing the role of ITAM in bolstering risk management and governance practices can contribute to maintaining strong fundamentals. As the business landscape continues to grapple with evolving cyber threats, ITAM emerges not only as a cost-saving practice but as a strategic imperative for safeguarding a company’s business and financial profile.