One of the recurring problems in getting private sector firms to focus energy and resources on cyber security has been the lack of clear consequences for firms that fail to clear the cyber security bar. Consider that investors forgave firms like TJX, Home Depot and Target despite those firms having suffered massive data breaches. Those breaches were, no doubt, expensive to recover from. But they were not existential events and – in the absence of strong penalties – the math comparing the “cost to prevent” to the “cost of doing nothing” is often unconvincing.

In the absence of strong action from federal or international regulators, one thing that could change this distressing state of affairs is for the market itself to impose high costs on companies that take a pass on their cyber security. Insurance is one way to do that, and the cyber insurance market is growing by leaps and bounds. The other market-based mechanism, of course, is held by credit ratings agencies, whose evaluations of private sector and public sector organizations determine how easily and cheaply they can finance their continued operation. Needless to say: a bad credit rating from a major ratings agency can significantly raise a firm’s borrowing cost, hampering plans for growth and expansion and even imperiling business operations.

And there’s growing evidence that ratings agencies are prepared to adjust credit ratings downward based on knowledge of damaging cyber incidents including loss or theft of data. In a note earlier this week, for example, S&P analyst Laurence Hazell noted that Standard and Poor’s considers cyber risk as a component of so-called “ESG” (environmental, social and governance) risks that affect overall credit risk and ratings, putting cyber alongside the risks of man-made climate change as a potential cause of sudden shifts in an organization’s credit rating.

“While different in so many important respects from the issues regarding the natural environment, we are beginning to make inroads to the assessment of credit impacts from cyber-crime and cyber-breaches,” he wrote.

S&P published two reports in June that laid out the case for taking cyber risk into account when analyzing organizations’ credit worthiness. The company makes clear that cyber incidents haven’t yet resulted in a ratings downgrade, even at financial and retail organizations that have been the victims of major cyber attacks. But the credit ratings agency suggested it was more a matter of “when” than “if” such a downgrade would happen.

“It’s not difficult to envision scenarios in which criminal or state-sponsored cyber-attacks… would result in significant economic impacts, business interruption, theft, or damage to reputation,” the company wrote.

Still unclear is what might contribute to a cyber incident resulting in a credit downgrade, given that retailers, banks, financial services firms and other high profile organizations are the target of almost daily attacks – some of them successful. According to this report in Insurance Journal, “the most likely adverse ratings impact would stem from an attack weakening a target company’s business profile, most likely in terms of future revenue and profitability, and by causing deterioration in credit metrics.”

S&P has indicated that it would look at a cyber incident’s impact on cash flow, especially in regard to the cost of recovery, implementing new security measures, increased insurance premiums, fines and mandated disclosure.

While companies might be loath to discuss the particulars of steps they have taken to shore up defenses following an incident, S&P said that cyber risk needs to have board-level visibility.

Recent reports suggest that the business cost related to information security risk is rising. In October, for example, Reuters reported that cyber insurance premiums are jumping following a string of large and high-profile breaches. According to that report, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.