Highly publicised incidents affecting sophisticated and global businesses such as Facebook and the NHS demonstrate that cyberattacks have the potential to affect almost any borrower.
Whilst these risks cannot be eradicated, the consequences for lenders can be managed. In this Insight our Banking and Finance experts explore ways in which we can help you to protect existing and future investments.
Cyber security and lenders - how to manage the risks faced by borrowers
Information is valuable yet vulnerable. Most borrowers hold some degree of digitally stored sensitive, confidential and personal information. Some handle significant amounts of funds. Many are also involved in enabling commercial transactions to take place and completing these transactions online. Each online step provides opportunities for interference.
Borrowers may also be underprepared. Some lack the proper policies, procedures and precautions required to prevent an attack. Some are affected by vulnerabilities created in their supply chain by third party contractors and suppliers. And it is not just SMEs that suffer; the highly publicised attacks on Facebook and the NHS have demonstrated that large, sophisticated and global organisations can be just as vulnerable as smaller enterprises.
The Cyber Security Breaches Survey 2018 reported that:
- over four in ten businesses (43%) and two in ten charities (19%) experienced a cyber breach or attack in the last twelve months; and
- under three in ten businesses (27%) and two in ten charities (21%) have a formal cyber security policy or policies.
Combine these statistics with the potential impact that an attack can have on a borrower's reputation and service delivery and it seems to be a good time to take stock of what can be done to protect a lender's investment against the cyber risks that are facing borrowers.
Any business disruption can have an impact on a borrower's eventual success and cyber attacks have the potential to create problems with far reaching consequences. An attack could cause a minor complication, preventing access to systems for a few hours and incurring limited remediation costs. Alternatively, it could lead to the eventual demise of an enterprise, as per the data breach that eventually toppled Mossack Fonseca. A business may also be significantly affected if a data breach results in tampering with information.
As with so many other risk management strategies, preparation is key. If a borrower has taken steps in advance to protect a business against the opportunity for attack and put in place an appropriate disaster recovery or mitigation plan, this will minimise the potential for damage to the borrower's business and a lender's investment should an attack occur.
- Before funding: You may find it useful to use a tool such as our Digital Risk Calculator as part of the due diligence processes to find out a borrower's digital risk score and identify their top five digital risks. This assessment, coupled with an analysis of the borrower's business and the key assets that drive its value could pay dividends. It should help to flag up whether a detailed enquiry into a borrower's infrastructure, policies and skills base in this area is required before funding takes place.
- Documenting the transaction: We can build additional protection into the documents for transactions involving high-risk borrowers. This could include:
- enhanced insurance requirements;
- undertakings to notify the lender of breach. For example, in the event of a loss of personal data, the borrower could be obliged to give notice to the lender at the same time as it delivers the notifications required by data protection legislation or its regulators. We can help you to identify the action points that are relevant to the specific borrower;
- ensuring that the covenants address the cyber threat that is most relevant to the business so that you do not need to rely on the material adverse change Event of Default; and
- enhanced warranties or information covenants around data management and cyber security.
- In the event of a breach: From a lender's perspective, clearly it will be important to get an understanding of the (hopefully short term) impact that an attack is going to have on the cash flow of the business. If this could present repayment issues then we suggest that you are alert to the risks of:
- consequential (and potentially automatic) cross defaults into other contracts.
- the business being unable to pay other creditors' debts as they fall due, resulting in a breach of solvency covenants and potential claims from creditors; and
- requests for additional short term working capital;
- potential breaches of financial covenants;
We recommend that the transaction documents are reviewed before entering into discussions with an affected borrower and that you talk to your legal advisers about the best way of granting leniency or documenting an amendment to the facility, if this is your aim. We will be able to guide you on the best way to protect your position and avoid inadvertently waiving your rights should enforcement action be required further down the track. Alternatively, if the interruption to business is more significant and time is of the essence, we can help you to quickly evaluate your options and take the right decision to protect your investment.
For further information on this topic you can read our article on understanding Digital Risk, or contact our experts whose details are given below.