Rating Agency Cites Negative Impact of Growing Ransomware Threat

The frequency, severity, and sophistication of ransomware attacks in the United States rose dramatically in 2021 from a year earlier, according to Fitch Ratings. That trend is likely to continue as long as the profit incentives remain high for cyber criminals and outweigh the perceived risk of prosecution, the rating agency said.

Citing data from a report from the US Senate Committee on Homeland Security and Governmental Affairs, Fitch said attempted ransomware attacks increased 98 percent in the US and 105 percent worldwide in 2021 over the prior year. Ransomware payments also increased last year, Fitch noted, with financial institutions reporting $590 million in payments during the first half of 2021, exceeding total payments made in 2020.

"Cyber crime has increased since the pandemic as businesses expanded their remote access capabilities and digital footprints," a Fitch statement said. Again, citing the Senate committee report, the rating agency said there were more ransomware attacks on government entities than on the private sector. Sectors such as health care and financial services that possess valuable personal information, payment data, or intellectual property tend to be targeted most frequently, Fitch said.

Fitch said that while it hasn't yet taken credit rating actions in any sector due to a ransomware attack, the risks are increasingly negative for affected organizations due to rising ransom costs and cyber criminals' increasingly effective extortion techniques, as well as the increasing proliferation of attacks given the interdependency of systems and businesses across supply chains.

The increase in ransomware attacks has led to executive orders and proposed legislation to address the risks, the Fitch statement said. There also have been several high-profile arrests within ransomware groups. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated minimum cyber-hygiene levels, while the SEC recently proposed new rules for enhanced and standardized cyber-security incident disclosure by publicly traded companies.

"These positive steps are additive, with potential material benefit from increased levels of transparency regarding cyber risk, and the elevation of these risk concerns to the board and executive levels," Fitch said. "This is critical as boards establish budgets for risk management, but more importantly approve risk parameters and choose leadership that establishes risk culture."