Cyber risk is now balance-sheet risk

A company that skimps on cybersecurity can now get charged more for money, the same way a driver with crash tickets pays more for insurance. New research cited by BankInfoSecurity says weak cyber posture can add about 10 basis points to a loan, and one study estimated a median borrower could save about $600,000 over a syndicated loan by cutting cyber risk. (bankinfosecurity.com) Banks are not just raising rates. The same studies found riskier companies also face tighter loan covenants, and commercial banks were stricter than non-bank lenders in both pricing and restrictions. (bankinfosecurity.com) That shift is happening because cyber incidents can now hit cash flow, customers, and legal costs all at once. BankInfoSecurity reports that JPMorgan Chase has said business customers create cyber risk for the bank, while Santander reviews ratings and broker reports when pricing loans. (bankinfosecurity.com) Credit raters are moving the same way. Fitch says cyber risk is part of how it looks at operational risk in credit ratings and debt markets, which means security problems can feed into how investors judge a borrower before a bond is ever sold. (fitchratings.com) The reason lenders care is that one weak software component can spread risk across millions of users in one shot. On April 9, 2026, Microsoft disclosed a flaw in a third-party Android software development kit called EngageSDK that could let one app on a phone break Android’s app sandbox and reach private data in another app. (microsoft.com) A software development kit is a prebuilt bundle of code that app makers plug in to save time, like buying a lock instead of machining one yourself. Microsoft said this single kit was present in apps with more than 30 million crypto-wallet installs alone, putting personally identifiable information, login credentials, and financial data at risk. (microsoft.com) Microsoft said the bug was fixed on November 3, 2025 in EngageSDK version 5.2.1, and Google Play removed the apps it found using vulnerable versions. Microsoft also said Android added extra protections for users who had already installed affected apps. (microsoft.com) The scale was bigger than the wallet apps alone. Reporting on Microsoft’s disclosure said the flawed kit had exposed more than 50 million Android users, which is the kind of number that turns a coding mistake into a boardroom and lender problem. (techrepublic.com) This is why cybersecurity is getting treated less like an information-technology budget line and more like plumbing, fire safety, and debt service. If a hidden dependency can put 50 million devices at risk and push borrowing costs higher by 4 to 13 basis points, security spending starts to look a lot more like interest-rate defense than optional hygiene. (bankinfosecurity.com) (microsoft.com)