By Eefje Van Craen, Bill Weiss

One of credit managers’ primary responsibilities is to ensure that their firms do not engage with customers who pose a significant risk of default. Companies with a higher risk of late payments or default on their obligations tend to also exhibit poor cybersecurity. Conversely, strong cybersecurity is a positive indication of successful corporate governance and management effectiveness. Trade credit managers must give dedicated attention to managing cyber risks as part of their due diligence process, alongside financial, operational, and compliance risks. 

Trade credit professionals have the following concerns when it comes to their customers’ cybersecurity: 

1. Data breaches: A data breach can lead to monetary loss, reputational damage, and potential legal and regulatory consequences. For trade credit managers, understanding the risk of their customers or suppliers encountering data breaches is critical, particularly when sensitive and proprietary data — including financial and pricing data — is exposed. 
2. Fraudulent activities: Cybersecurity threats can result in fraudulent activities, such as identity theft, phishing scams, or invoice fraud. These events are often due to compromised business emails. Trade credit managers need to be cautious about the authenticity of the parties they are dealing with; they must also ensure that their customers’ and suppliers’ systems are adequately protected and have the right cybersecurity controls in place to help prevent fraudulent activities. If your customer falls victim to a phishing scam, it can affect if and when your invoices are paid. 
3. Business disruption: Cybersecurity incidents, like ransomware attacks, can cause significant disruptions to business operations. For trade credit managers, this can result in delayed processing orders, payments, or collections, leading to potential financial losses and damage to customer relationships.

The importance of monitoring cyber risk in trade credit

An industrial manufacturer known for its solid financial standing faced a significant setback in 2020 when it fell victim to a devastating ransomware attack. The attack had a profound impact on both its operational health and creditworthiness. Its probability of default, which had previously stood at a negligible 0.5%, increased 10-fold. The severe reputational damage from this attack left the manufacturer unable to secure any acquisitions, and to this day it continues to struggle with a weakened financial position.

Moreover, a recent ransomware attack dealt a severe blow to another major corporation in 2024, harming its operations and reputation. The ransomware organization held highly sensitive data hostage, causing system downtime and bringing the company to a standstill. The company disclosed that the attack cost it over $870 million within the quarter, indicating a swift and negative impact on its financial health. This can have far-reaching effects on its suppliers and its ability to make timely payments.

Beyond the breach, the incident highlights cybersecurity’s critical role as a strategic concern, not merely a technical one. Before the attack, the company’s Bitsight rating of 640 placed it in the bottom 10% of its industry peers. Its rating had dropped by 80 points over the 12 months preceding the attack — a clear indication of a decline in cybersecurity performance.

A recent study revealed that companies with a similar Bitsight rating are 3.2 times more likely to face a cybersecurity incident than those with a rating of 750 or higher. Bitsight's studies show that companies with a security rating between 600 and 650 are 4.6 times more likely to experience a ransomware event. In this case, the data was not just predictive but prophetic.

Another key indicator of a company’s cyber vulnerability is patching cadence — the speed at which an organization remediates its exposure to known vulnerabilities. This is one of the most highly correlated data points to the likelihood of a ransomware or malware event, and, according to Bitsight data, this company received D’s and F’s in patching cadence for the three years prior to the attack.

Not only has the organization paid a hefty ransom to the cybercriminals, but it turns out that a second ransomware entity may have also extorted the company weeks after recovering from the initial attack.
The Bitsight cyber risk data acted as an early warning signal, identifying risks for the company, its suppliers, and other partners. Credit departments that incorporate this cyber risk data into their credit monitoring processes would have been aware of the risk and had an opportunity to act before any payments were in danger.

Protecting against default includes managing cyber risk

Adverse cyber events can have a swift and immense negative effect on a company’s financial health, reputation, customers, suppliers, and partners. Large credit departments can help protect themselves by incorporating cyber risk into their existing credit processes and workflows with Moody’s Trade Credit Solution, which gives credit departments access to Bitsight’s critical cyber risk data and delivers key actionable insights directly through the platform.

Research indicates that the average cost of a cyberattack to a company amounts to around $4.45 million.1 As shown above, this kind of financial burden can easily affect a business’s ability to successfully maintain its commercial relationships and meet its credit obligations. Trade credit managers not only need to ensure their customers do not impose a significant risk of default but also proactively monitor portfolios to identify and address new risks before they lead to defaults. It is alarming to note that 60% of small businesses go out of business2 following a cyberattack, particularly considering that these businesses do not have cyber risk insurance. Protecting against default includes considering the risk of cyberattacks.

How we can help:

Moody's can help trade credit managers obtain an integrated view of risk to unlock opportunities and make informed decisions. We provide assessments of customer and third-party cybersecurity risk for use during the credit review process and help continuously monitor customers’ and third parties’ cybersecurity performance to reduce the likelihood of incidents. Our assessments help credit managers understand a third party’s potential exposure to data breaches, business disruption events, and fraud. To learn more, contact us today.

1 Cost of a data breach 2023 | IBM. (n.d.). https://www.ibm.com/reports/data-breach
2 60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here’s How to Protect Yourself. (n.d.). Inc. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html