Equifax just became the first company to have its outlook downgraded for a cyber attack
- A Moody's spokesperson said the downgrade is significant because "it is the first time that cyber has been a named factor in an outlook change."
- Equifax's breach in 2017 will have a lasting effect on the company's security spend and infrastructure costs, Moody's said.
Moody's has just slashed its rating outlook on Equifax, the first time cybersecurity issues have been cited as the reason for a downgrade.
"We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change," Joe Mielenhausen, a spokesperson for Moody's, told CNBC. "This is the first time the fallout from a breach has moved the needle enough to contribute to the change."
Equifax could not immediately be reached for comment.
The decision is significant because investors increasingly look to ratings firms and insurance companies to adequately predict the longer-term fallout of some of the biggest breaches, a difficult task given the relative lack of historical data on these incidents.
Moody's cited Equifax's recent $690 million first-quarter charge for the breach as contributing to the downgrade. The expense represents the company's estimate for settling ongoing class action cases, as well as potential federal and state regulatory fines.
The note also cited Equifax's hefty cybersecurity investments as problematic for its future strength.
"We estimate Equifax's cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021," the note says. "Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach."
Moody's also said Equifax may not be alone.
"The heightened emphasis on cybersecurity for all data oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company's profit and free cash flow for the foreseeable future," Moody's said.
The firm recently said it's working on building cyber risk into its credit ratings, which would put corporations on the hook for their cybersecurity practices. Moody's has indicated that the types of companies most at risk include financial firms, securities firms, hospitals, market infrastructure providers and electric utilities.
As CNBC previously reported, the stolen Equifax data has never been found and intelligence officials largely believe it has been collected and used for foreign intelligence purposes.
These business owners won't get full forgiveness on their PPP loans
Despite Trump tweets, Americans still face weeks before more stimulus money arrives
New York Gov. Cuomo says museums, bowling alleys to reopen in NYC, and gyms may be next
Scientists say the coronavirus is at least as deadly as the 1918 flu pandemic
Trump tries to push for a coronavirus stimulus deal — after Congress has left town