Moody's downgrades Equifax's rating outlook over 2017 cyberattack

Credit ratings agency Moody's has downgraded Equifax's rating outlook from stable to negative over the 2017 data hack that caused huge financial losses to the company.

This is the first time that Moody's has taken a rating decision based on financial fallout from a data hack incident.

Moody's said that Equifax's reputation and business performance has suffered a lot since the incident. The company's cash flow has also declined constantly because of the heavy IT and legal expenses stemming from the cyberattack.

CNBC reports that lawsuits and multiple probes have cost Equifax about $690 million in Q1 2019 alone, and it may need another $800 million over next two years. In 2021, the litigation costs are expected to decrease to about $250 million.

Moody's believes Equifax will also need a good amount of money to spend on bolstering the security of its computer systems, further hurting company's profits.

"The heightened emphasis on cybersecurity for all data oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company's profit and free cash flow for the foreseeable future," Moody's report said.

Equifax's data breach started in May 2017, although the company only discovered the hack in July 2017. Hackers exploited a software vulnerability, which was known for several months and was easily fixable.

By the time Equifax took steps to stop the breach, hackers had already stolen details of nearly 150 million people. The data compromised included driving license details, Social Security numbers, credit disputes information and other personal data.

Surprisingly, that data never appeared on any of underground websites selling stolen information. Further investigations indicated that a foreign intelligence agency might be behind the hack, and it may have used the data not for financial gains, but to recruit spies.

A 2018 congressional report on the hack concluded that the incident could have been prevented if Equifax had taken timely steps to address security holes in its systems.

The probe discovered lack of accountability and lack of internal IT management structure in the company that led to a gap between IT policy development and operation. Moreover, the outdated and complex IT systems made IT security a challenging job in Equifax.

Security experts concluded that Equifax failed to renew more than 300 security certificates for 19 months. Of those certificates, 79 were crucial for supervising business critical domains.

The consequences of the hack included the expulsion of Equifax's CISO and the CEO. The firm continues to feel the impact of shareholder derivative lawsuits as well as class action suits from consumers to date.

According to security analysts, Moody's action on Equifax is not only a wake-up call to boards and CEOs, but is also a critical inflection point for CISOs in the industry.