The Interplay of Cyber Vulnerability and Enterprise Credit Risk

The effects of cyber-attacks cascade through the entire ecosystem, resulting not only in direct costs of repairing and restoring the systems, but also in delays and halts of services and operations and, potentially, a loss of reputation and decrease in future business activity.

This research aims to develop a novel method to evaluate the interaction between cyber vulnerability and enterprise financial risk as reflected by its credit rating. Specifically, we will focus on the following hypotheses:

1. An increased cyber vulnerability of a firm increases the probability of the firm’s credit rating downgrade.
2. A credit rating downgrade of a firm increases its cyber vulnerability.

Taken together, the two hypotheses predict a circular relationship between cyber vulnerability and credit downgrade. To study this relationship, we will first explore the effect of a firm’s cyber factors, including DNS hacking events, intrusion risks, exposure to DOS attacks, servers’ configuration levels, and privacy measures, on its credit rating. We will then examine the counter effect, how a credit rating downgrade affects the firms’ information security measures. This potential endogeneity requires careful econometric identification, an important component of our proposed research.

First, we introduce a conceptual framework that illustrates the mutual effects of cyber threat and credit downgrade, accounting for other mediating factors. In the empirical part of the research, we plan to study and quantify the effect of each of the variables in the framework on the financial and security risk of a firm. Following the research hypotheses, we focus on two key aspects of this framework: (1) how cyber vulnerability may affect a firm’s financial performance and influence operational stability of a firm, and (2) how a credit rating of a firm, specifically a downgrade, affects cyber vulnerability. The second part of the framework deals with the outcome of a firm’s credit downgrade, describing the consequential events and activities and how they may lead to an increased cyber vulnerability.

We will empirically investigate the proposed model by analyzing security, credit, and related events for the Fortune 500 companies. We plan to develop models to estimate the effects described in the conceptual model:

1. How does security vulnerability directly affect credit rating?
2. How does credit rating downgrade affect a firm’s security vulnerability?
   
   1. How does credit rating downgrade affect internet presence and the subsequent security risks?
   2. How does credit rating downgrade affect firm financial activities and cyber security activities?

We will use machine learning algorithms to empirically analyze these data in order to generate a quantitative longitudinal approach that relates cyber vulnerabilities and incidents to the financial stability of firms.