CFOs Should Know: Lackadaisical Security Carries a Price
In the contemporary landscape of finance and banking, cybersecurity is becoming increasingly pertinent. Recent academic studies reveal a troubling correlation between inadequate cybersecurity measures and increased borrowing costs for businesses. Specifically, companies with poor cybersecurity may find themselves paying significantly higher interest rates on loans—potentially as much as ten basis points more than their more secure counterparts. This trend highlights a critical issue in the finance sector that CFOs must address.
The implications of weak cybersecurity are far-reaching. Research indicates that depending on the scale of the loan, substandard cybersecurity could result in additional costs running into the hundreds of thousands of dollars annually. This financial strain can stem from increased interest payments that arise when banks factor in the perceived risks associated with lending to a company exhibiting weak cybersecurity measures.
Hans Degryse, a finance professor at KU Leuven University, points out the stark financial realities. He explains that, for a median firm featured in their study, an investment in cybersecurity that effectively reduces risks could lead to a decrease in interest payments amounting to approximately $600,000 over the life of a syndicated loan. This considerable savings makes a compelling case for businesses to prioritize cybersecurity investments.
Unearthing this issue further, Amy Sheneman, an assistant professor of accounting at Ohio State University and co-author of related research, notes that many borrowers are often unaware that their cybersecurity vulnerability is being factored into their loan pricing. This lack of awareness can deter them from making essential investments in their cybersecurity infrastructure. Sheneman’s research suggests that companies assessed with higher ex-ante cybersecurity risks face an average borrowing cost increase of 10 basis points. Degryse’s findings note a range between four to 13 basis points, depending on the severity of the assessed risks.
Lending institutions are responding to these findings with increased scrutiny. The study reveals that risky businesses often endure more stringent loan covenants, which commercial banks apply more aggressively compared to non-bank lenders. This trend seems to stem from tighter regulatory frameworks and a reduced appetite for risk among traditional banking institutions.
These emerging insights mark a paradigm shift in how cybersecurity is perceived in financial contexts. While some major banks have acknowledged the impact of cyber risk on lending strategies, they are increasingly incorporating these risks into their pricing models. For example, JP Morgan Chase admits that its business customers introduce cyber risk and engages in “periodic discussions” regarding cybersecurity improvements. Likewise, Santander acknowledges that it evaluates ratings and broker reports that consider cyber exposure in pricing loans. The significant global rating agencies—Fitch, Moody’s, and S&P—are similarly incorporating cyber risk assessments into their evaluations of operational risk.
The potential consequences of neglecting cybersecurity can be dire. Research highlighted in the Hiscox Cyber Readiness Report 2026 states that a staggering quarter of U.S. small businesses perceive cyberattacks as a threat to their viability. This points to the notion that the actual impact on small business survival could be even more pronounced when considering survivorship bias.
Anthony Young, the CEO of Bridewell, underscored the necessity of transparent pricing of cyber risk by banks, suggesting it could foster a stronger cybersecurity posture across the economy. He asserts that linking the cost of borrowing to cyber risk could serve as a powerful motivator for businesses to bolster their cybersecurity measures. Young notes that actual cyber incidents are already prompting board-level investments, eclipsing motivations rooted merely in compliance.
He cautions, however, that this transition requires careful implementation. Without a proper understanding of how their cyber risk is gauged, organizations may reduce the process to a mere checkbox exercise, failing to realize genuine improvements in resilience.
Competing priorities also complicate the landscape for lenders. Borrowers are increasingly perturbed about whether banks have adequate insight to make informed decisions on cybersecurity risk. Young points out that, unlike financial metrics, evaluating cyber risk can be challenging due to dependencies on incomplete or self-reported data.
The key challenge lies in banks developing consistent, objective methods for assessing cyber maturity. Should these assessments lack integrity, there remains a threat of mispricing or oversimplification of a risk that is ever-evolving and highly contextual. As Mike Horrocks of Baker Hill notes, most banks are still refining their approaches to assessing cyber risk, and at present, it often plays a secondary role compared to traditional metrics like collateral and cash flow.
In competitive lending environments, particularly in larger metropolitan areas, banks might hesitate to impose higher rates for cyber risks, concerned about losing business to rivals. Sheneman’s analysis indicates that lending institutions in less competitive markets are more inclined to incorporate cybersecurity risk into their pricing models.
Ultimately, the relationship between cybersecurity and financial health is intricate and nuanced. Companies seeking loans must recognize the financial repercussions tied to their cybersecurity practices. The scholarly findings emphasize that there is still room for a cyber risk premium to exist, especially in larger, more competitive markets. As the financial landscape progresses, awareness and understanding of cybersecurity’s impact on borrowing costs will be imperative for CFOs and businesses alike.