Finance & Banking
,
Governance & Risk Management
,
Industry Specific
CFOs Should Know: Lackadaisical Security Carries a Price
Bad cybersecurity is bad for business. A badly secured business may pay as much as ten extra basis points for a loan than if its posture had been up to scratch, find academic studies examining how U.S. banks price debt.
See Also: OnDemand | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches
Depending on the scale of the loan, the bill for substandard cybersecurity could run into hundreds of thousands of dollars each year.
“If we consider the median firm in our sample and suppose that firm could reduce cybersecurity risks with one standard deviation by doing investments [in cyber], it would reduce its interest payments with about $600,000 over the lifetime of the syndicated loan,” said Hans Degryse, professor of finance at KU Leuven University and co-author of “Do lenders price firms’ cybersecurity risk?”
Some borrowers may simply be unaware that banks are pricing cybersecurity exposure into interest rate calculations, said Amy Sheneman, assistant professor of accounting at Ohio State University and author of a separate article on cybersecurity risk and loans.
For cybersecurity professionals, that’s unfortunate. “If CFOs understood that [bad cybersecurity] is priced, they may be more willing to make investments in their cybersecurity systems,” Sheneman wrote.
Based on multiple analyses, she found that firms with higher ex-ante cybersecurity risk face higher borrowing costs by an average of 10 basis points. Degryse’s work cites a range of four to 13 basis points, depending on the severity of the perceived risk. Risky businesses are also being hit with more restrictive loan covenants, his study found, concluding that commercial banks tend to adopt a more stringent approach to pricing cybersecurity risk and applying covenants than non-bank lenders. This is likely due to tighter regulations and a lower appetite for risk.
These studies are among the first to expose how important cybersecurity has become as an ex-ante criteria for assessing company risk – although some major banks have disclosed that cyber risk affects their lending strategies. JP Morgan Chase has acknowledged that business customers create cyber risk for its company and said it engages in “periodic discussions” with its customers about those risks and how customers can improve their cybersecurity posture.
Santander says it reviews ratings and broker reports when considering the pricing of loans. The three largest global rating agencies – Fitch, Moody’s and S&P – all include cyber exposure as part of their assessment of companies’ operational risk.
Lenders are right to be concerned about the potential for cyber risk to result in loan defaults. A quarter of U.S. small businesses said the viability of their company was threatened by a cyberattack, according to research data cited in the Hiscox Cyber Readiness Report 2026. The nature of survivorship bias means the actual impact on small business survival could be even higher.
Anthony Young, CEO of Bridewell, a firm that assesses cyber risk, said that banks transparently pricing cyber risk could in better cyber posture across the economy. “Linking cyber risk to the cost of borrowing could be a powerful motivator,” he told Information Security Media Group. “We’re already seeing that real-world cyber incidents are driving board-level investment more than compliance alone. If financial institutions start pricing cyber risk more explicitly, it will likely accelerate that trend.
“It needs to be done carefully,” he added. “If organizations don’t understand how their risk is being assessed, it could become a tickbox exercise rather than driving meaningful improvements in resilience (see: Boards Now Treat Cyber Risk as a Business Issue).
Competing Priorities
Borrowers, of course, want to know whether lenders have sufficient insight to make informed decisions about the cyber risk.
“Unlike financial metrics, cyber risk is harder to quantify and often relies on incomplete or self-reported data,” Young said.
The challenge for banks will be ensuring they have consistent, objective ways of assessing cyber maturity – otherwise, there’s a risk of mispricing or over-simplifying what is a highly dynamic and context-specific risk.
“Most banks aren’t doing it incredibly well at this point,” said Mike Horrocks, senior vice president at Baker Hill. Cyber risk is a secondary factor for lenders, less important to banks than collateral, real estate and cash flow, he said.
Plus, banks must mitigate risks on multiple fronts, so customer cyber risk can temporarily fall out of priority.
Even if banks universally had a robust methodology for assessing customer cyber risk, lenders in larger metropolitan areas could find it difficult to charge a premium to riskier businesses without being beaten on price by other lenders, some of which may have poorer risk insight, according to Sheneman.
“Lenders in less competitive markets are more likely to price cybersecurity risk. In contrast, in highly competitive markets, lenders tend to absorb more of the risk,” she argued, based on the data analysis contained in her study.
This competition dynamic could push companies in smaller metropolitan areas to improve their cyber posture, while companies in larger metropolitan areas face less of an incentive to do so.
Given the opacity of risk pricing and lender risk appetites – plus imperfect information on customer cyber risk – it is unlikely the market will reach perfect equilibrium of balancing cyber risk with loan payment terms, leaving room for a small cyber risk premium to remain even in larger metropolitan areas.
