Banks penalize poor cybersecurity

A company can now get hit by ransomware twice: once by the criminals, and again by the bank. New reporting on U.S. lending says firms with weaker cybersecurity can pay up to 10 basis points more on loans, which is 0.10 percentage point added to the interest rate. (bankinfosecurity.com) That sounds tiny until you put it on a real loan. On a $100 million credit facility, 10 basis points is about $100,000 a year in extra interest before a single file is locked or a ransom note appears. (bankinfosecurity.com) Banks are doing this because cyber risk now looks like default risk. If a manufacturer, law firm, or hospital loses systems for a week, cash stops moving, invoices stall, and the odds of missing debt payments go up. (crimsonit.com) The academic evidence is getting specific. A 2021 study of 290 cybersecurity breaches from 2005 to 2018 found that loans initiated after a breach carried spreads about 30 basis points higher than loans made before the breach. (sec.gov) Newer research says lenders are not just reacting after an attack. A 2025 paper in The Accounting Review found that banks price cybersecurity risk directly into loan contracts, which means the penalty can show up before any public breach happens. (publications.aaahq.org) Another study found the terms can tighten in more than one place at once. After a reported data breach, firms faced higher loan spreads, were more likely to pledge collateral, and were more likely to accept extra lender covenants. (ira.lib.polyu.edu.hk) This is no longer just a Fortune 500 problem. Advisers working with Los Angeles midsize businesses say hybrid work, multiple offices, old infrastructure, and vendor-heavy operations are making ransomware a day-to-day operating risk for companies far below the public-market tier. (crimsonit.com) Public companies also have to explain more of this in plain view. The Securities and Exchange Commission’s 2023 rules require disclosure of material cybersecurity incidents on Form 8-K and annual disclosure of cyber risk management and board oversight in the Form 10-K. (sec.gov) That creates a feedback loop. A breach can raise cleanup costs, trigger disclosure obligations, and hand lenders fresh evidence that the borrower’s controls were weaker than management said. (federalregister.gov) The practical shift is that cybersecurity is being treated less like an information-technology expense and more like insurance, credit quality, and plant maintenance. If a firm can show tested backups, patched systems, and a real incident-response plan, it is not just trying to avoid an outage; it is trying to avoid paying banker prices for digital negligence. (uta.edu)