- Cyber attacks can harm financial institutions' credit ratings, mainly through reputational damage and potential monetary losses.
- Accelerated digitalization and remote working arrangements have increased the financial sector's exposure to cyber risks and could lead to more complex cyber attacks that trigger higher losses.
- Financial institutions with weak risk governance are less prepared for, and therefore more vulnerable to cyber attacks.
Cyber risks present a growing threat to financial institutions. A large-scale cyber attack can potentially have a considerable impact on an institution's ability to service its obligations in full and on time. The financial industry is a key target of cyber criminals because banks and other financial institutions store sensitive personal data and possess valuable information regarding financial transactions (see chart 1). Increasing digitalization in the banking system, and accelerated work-from-home arrangements in response to the COVID-19 pandemic, have further exposed the industry to cyber-criminal activity by significantly increasing online communication.
Cyber attacks have the potential to harm credit ratings through reputational damage as well as monetary loss. Nevertheless, in the event of a large-scale attack on a systemic bank or several large institutions we could foresee governments taking measures to stabilize the sector.
In our analysis on banks' creditworthiness, we may give consideration to cyber risks both at system-wide and at entity-specific level. Our system-wide banking sector analysis would capture cyber risks in a given country, when, for example, a banking industry as a whole suffered from a series of repeated, serious breaches of security, or if we saw that the regulators were more reactive than proactive in forcing financial institutions to strengthen their cyber security frameworks.
Our analysis of bank-specific factors (see diagram) captures the consequences of cybersecurity events in the following areas:
- The bank's business stability could be impaired by loss of customer confidence as a result of a successful attack. We also consider the ability to manage and prevent cyber risks as a part of our management and governance assessment.
- Potential losses from cyber events could lead to material losses and, in turn, hurt a bank's capitalization.
- Poorly managed cyber risks could expose structural weaknesses of a bank's risk management.
- A cyber event might result in severe reputational damage. This could potentially lead, in extreme cases, to sudden outflows of clients' funds and liquidity pressure.
The Pandemic Pushed Up Cyber Risks
Although consistent data regarding cyber incidents are not always available--not least because only a fraction of incidents becomes public--media reports of successful cyber attacks on financial institutions have increased. We believe the banking sector is becoming ever more exposed to cyber crime after the COVID-19 pandemic and work-from-home arrangements urged banks and other financial institutions to increase their digital presence.
The U.S.-based software company Guidewire reports that most publicly available cyber incidents at financial institutions are related to data breaches. The number of ransomware attacks is also on the rise. Relatively large financial institutions continue to be the most frequent targets of reported successful attacks (see chart 2). Yet, in our view no financial institution is immune to damaging cyber events, and institutions that do not invest enough in cyber security could be attacked frequently and successfully.
The Banking Sector Is An Attractive Target
We see several reasons why cyber criminals are keen to target banks.
Banks are a key pillar of nations' critical infrastructures. They handle numerous monetary transactions allowing smooth functioning of economic activity and play a key role in payment processing. Cyber attacks could disrupt these activities.
A bank security breach gives attackers direct access to money. For that reason, cyber attacks frequently directly target banks' payment infrastructure. The global provider of interbank money transfer services, SWIFT, has seen repeated attacks on its member banks, including on the 2016 Bangladesh central bank, one of the most prominent known cyber attacks, when $81 million was stolen by cyber criminals before the bank managed to prevent further money transfers.
Banks possess a wide range of personal data. This is of interest to attackers because it can also be used for other malicious activities, such as identity theft. For that reason, bank customers (retail and corporate) often are the main target of cyber attacks, frequently considered as the "weakest link" in any cyber defense system. Attacks include sending out phishing emails that look like they are sent from the bank or, increasingly, social engineering on popular social media platforms. At the same time, attackers increasingly target bank employees using the same techniques, aiming to expose devices to malware that could then enter the bank's core system if the right endpoint controls are not in place. This could allow the attackers to get access to data that is normally only accessible behind banks' virtual private networks (VPN), which makes attacks on employees particularly sensitive.
Cyber attacks on banks are evolving and becoming more sophisticated, frequent, and coordinated. Attackers rely on modern technology and target weaknesses in banks' IT infrastructure. One example of this is by flooding customer-facing bank websites with traffic (a so-called distributed denial-of-service attack) to take them offline in order to either blackmail the bank or to steal bank customer data.
Overall, we believe that a combination of specific features--such as possession of valuable personal data and critical role in servicing particular financial or economic needs and segments--as well as an entity's weak awareness of potential cyber risks make a financial institution an attractive target for an attack.
The following characteristics indicate that a financial institution is less prepared for, and therefore more vulnerable to a cyber incident.
- Weak risk governance, with no dedicated cyber risk framework or clear management responsibility (for instance, when cyber risk is considered solely part of IT rather than part of the whole company's risk management framework). Evidence of this may be the lack of an emergency plan or insufficient resources to identify, isolate, and defend potential data breaches or attacks.
- Outdated and fragmented IT infrastructure with legacy systems in place. This incorporates outdated cyber-risk software without continuous patching of of automated teller machines (ATMs) and central servers. ATM networks have a lot of legacy hardware and software, which have become a popular target for cyber attacks. Another issue is a lack of back-up server capacity to redirect classic distributed denial of service (DDoS) attacks.
- Weak regulatory framework regarding cyber attack defense in a given jurisdiction. This affects banks with business in countries with higher risks and lower standards.
Limited Direct Impact On Bank Ratings To Date
The rating impact of a cyber incident would vary depending on the incident's characteristics and scope, and the extent of any resulting reputational damage or losses as a consequence. A theft of customer data may have a less material impact compared to a malware attack, for example. The rating impact would depend on how an entity's credit metrics changed as a result of the attack, and whether they were strong enough to absorb the losses and damage. One example of a rating impact was the downgrade of the Bank of Valetta after a cyber attack increased concern regarding the robustness of the bank's operational risk management (see "Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable," July 31, 2019).
A significant cybersecurity-related data breach at U.S.-based Capital One Financial Corp., in July 2019, did not result in a rating action, because we believed that direct costs associated with the incident were manageable for the entity, and the release of key customer data was limited (see "Capital One Financial Corp.'s Data Breach Increases Reputational Risks, Although The Direct Costs Appear Manageable," July 30, 2019). At the same time, we believed that the event underscored the importance of cybersecurity for banking institutions, and increased reputational risk for the entity.
Most recently, the Russia-based securities firm Freedom Finance reported data theft in December 2020, following a successful phishing attempt. The ratings were unaffected, owing to the company's resilient capital and earnings position (see "Freedom Finance's Data Breach Marginally Increases Risks To Strategy Of Building Commission Income," Dec. 28, 2020).
While cyber attacks have had only a limited effect on ratings on financial institutions so far, we expect them to trigger more rating actions in the future as cyber incidents become more frequent and complex.
How Cyber Risk-Ready Are Banks?
In our view, the key to cyber resilience lies in risk management action, both before and after an attack. In our analysis, we seek to understand how a financial institution manages its cyber risk exposure and how it would act after a potential attack to limit the damage.
In practice, we seek to understand an institution's awareness of cyber risk, the importance of cyber risk management, and the role of the Chief Information Security Officer (CISO) within the financial institution. We would also explore the extent to which cyber risk awareness is embedded across the different levels in an organization and the capabilities and resources it dedicates to cyber defense.
Given the importance of reputation and customer confidence within our assessment of relative credit risk, especially in financial institutions, we would also examine management response in the wake of the attack. Financial institutions with clear mitigation plans, that develop and test playbooks, and define their post-attack crisis management are better positioned to control a cyber incident and minimize reputational damage. In this respect, we think that leadership, communication, and transparency are key to limiting reputational risk and its potential impact on ratings.
Areas of discussion we would likely address in our analysis include:
- The bank's documented cyber risk management strategy, policy, and framework, including key strategic priorities in this area.
- The level of is cyber-risk awareness in the organization, including employee trainings.
- Budget allocated to cybersecurity, including revisions following COVID-19 pandemic.
- Whether the institution has experienced a cyber event that has lead to actual losses, and, if yes, what were the lessons learned and preventive actions taken.
(For further discussion on this topic see "How Ready Are Banks For The Rapidly Rising Threat Of Cyberattack?", published Sept. 28, 2015).
Strong Defense Measures Are Critical
Generally, we do not expect management teams to eradicate cyber attacks. However, what is critical to us is the way in which institutions respond. Although it is crucial to learn from previous attacks and strengthen cyber-risk frameworks in real time, the appropriate detection and remediation of attacks takes precedence because the nature of threats will continue to evolve.
We think it likely that cyber incidents will become more sophisticated, thus making them more difficult to handle. We therefore consider that the expansion of the organizational digital capabilities should be accompanied with strengthening and increasing the cyber defense and cyber risk management culture.
In particular, we expect organizations will enhance their cyber risk management frameworks. We believe cyber defense will become an increasingly important part of entities' general risk management and governance frameworks, in need of increasing spending and more sophisticated tools. We acknowledge, however, that this might not be straightforward for many entities, especially the ones with weaker risk-control frameworks and insufficient budget allocated for cyber defense.
This report does not constitute a rating action.
|Primary Credit Analyst:||Irina Velieva, Moscow + 7 49 5783 4071;|
|Secondary Contacts:||Lena Schwartz, RAMAT-GAN + 972-3-7539716;|
|Gabriella Vicko, London + 442071768656;|
|Benjamin Heinrich, CFA, FRM, Frankfurt + 49 693 399 9167;|
|Puneet Tuli, Dubai + 97143727157;|
|Antonio Rizzo, Madrid + 34 91 788 7205;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: email@example.com.