Business Practices, eNews
Cybersecurity: The sixth ‘C’ in credit
Cybersecurity has emerged as a critical component of credit management, earning its place as the unofficial sixth ‘C’ in the traditional five Cs of credit (Character, Capacity, Capital, Conditions and Collateral). As businesses increasingly rely on digital platforms for transactions, data storage and communication, the risk of cyber threats has escalated, making it essential for credit professionals to prioritize cybersecurity in their risk assessments.
Why it matters: Factoring in the risk cybersecurity poses in credit decisions is no longer a choice but a necessity to safeguard sensitive information and ensure the financial stability of both companies and their partners.
One way to analyze cyber risk is by reviewing cybersecurity risk ratings, also known as security ratings. These security ratings are quantifiable measurements of a business’s security health, leading to data-driven decisions about security performance of the organization and its third-party vendors. Financial institutions and businesses are prime targets for cyber-attacks, so security ratings are an important element to help organizations benchmark their performance and serve as a risk mitigator.
According to UpGuard (www.upguard.com), “security ratings or cybersecurity ratings are dynamic quantifications of an organization’s security position. Calculated through trusted data validation methods, security ratings produce an objective and easy-to-understand representation of an organization’s cybersecurity performance. To reflect cyber threat resilience, security ratings are calculated by considering multiple cyber-attack categories and are usually represented as a score ranging from 0-950.” Areas such as network, email, website and brand reputation can be factors that are weighed. Other areas to consider can be third- and fourth-party risks inherent within supply chains, whether a company has undergone an independent assessment of its security controls or penetration tests.
An exceptional security rating can be an asset that opens business opportunities and provides assurance to existing customers. Poor security ratings can indicate that a company’s data is at risk. Just as credit ratings and scores of a customer provide insight into their financial stability, cybersecurity ratings provide insight into the cybersecurity health of an organization.
By the numbers:
- The cost of cybercrime hit $8 trillion in 2023, translating to over $250,000 per second, according to a Cybersecurity Ventures report. The total annual cost is projected to rise to $10.5 trillion by 2025.
- Based on industry studies, cybersecurity professionals estimate that more than 800,000 people experience ransomware attacks, phishing attacks, or data security breaches each year.
- 95% of data breaches are due to human error.
- By 2025, nearly 60% of organizations will use cyber-security risk as a key factor when determining transactions and business with third parties.
What they’re saying: “Companies that don’t take their cybersecurity seriously are going to experience a lot of pain and pass that pain onto their trade partners,” said Steven Winn, director of credit at Marek Brothers Systems (Houston, TX). “We know all the data that we look at in credit ties back to the five Cs. You know their credit capacity, so security ratings are a just another data point in evaluating companies—and it’s a big one.”
Character, capacity, capital, collateral and conditions are the big five when assessing creditworthiness and risk.
Character: The willingness of a debtor to pay their obligations.
Capacity: The inclination or propensity of a business to operate profitably and its ability to pay trade creditors, banks and employees as debts become due.
Capital: The value of a customer’s business in excess of all liabilities and claims or financial strength.
Collateral: An additional source of repayment, sometimes property that may be pledged to satisfy a debt.
Conditions: External events or occurrences that may interrupt or disturb the normal flow of business.
“It used to be the four Cs, then expanded to five once a lot of losses happened surrounding the conditions of credit,” Winn explained. “Cybersecurity being the sixth ‘C’ would truly show the sophistication of a company. It shows your business’s understanding and awareness of the environment we’re in. If a company is not responding to that properly to take care of their business, vendors and customers, they’re a shaky company to begin with.”
Doing business with companies that are vulnerable to attacks puts everyone involved at risk. Nearly all businesses have moved to digital processes that rely on information systems or cloud access. This means one hack into your customer’s system will automatically impact yours, too.
“I experienced a situation a few years ago where a customer got their email hacked and the hacker changed our paperwork to reflect their account number,” said Melissa Blakely, CCE, CICP, A/R team lead at Zeon Chemicals LP (Louisville, KY). “Even something as small as that, versus bigger companies that have major cyber attacks, makes me think security ratings are an effective way to look at customers as another option for us when weighing in on assigning credit limits and handling past dues. It’s a great tool to acquire in the future for all companies.”
Some businesses have legal requirements against cyber risk already included in their protocols. To mitigate the risk of cyber-attacks and ensure compliance, companies will carry out a Written Information Security Plan (WISP). A WISP is a document of policies and procedures to protect sensitive information from unauthorized users, disclosure, alteration, access and destruction. It’s a blueprint for an organization’s information security and is intended for internal use as a reference and record of practices.
WISPs cover various aspects of information security including:
- Data encryption
- Access controls
- Network security
- Employee training
- Incident response protocols
Protection protocols, such as security ratings and WISPs, can be used as an extra layer of mitigation for both your company and when extending credit to customers. Know Your Customer (KYC) and the 5 Cs of credit are part of best practices for your credit department and all come together in cybersecurity.
“It is a huge factor when you’re looking at credit risk because it can cripple your ability to pay bills, move products and to do all the things that we need to do to operate the business,” said Ty Knox, ICCE, director of credit & risk at EFCO Corp. (Des Moines, IA). “It’s important that companies do their due diligence and take measures to ensure security breaches won’t happen—and if they do, the impact will not be as detrimental.”
The bottom line: Incorporating cybersecurity as the sixth ‘C’ in credit management is essential to safeguard sensitive information and financial stability.