articles Ratings /ratings/en/research/articles/220927-asia-pacific-banks-digital-opening-raises-cyber-risks-12508935 content esgSubNav
In This List
COMMENTS

Asia-Pacific Banks' Digital Opening Raises Cyber Risks

COMMENTS

European Banks’ Residential Mortgage Losses Should Remain Contained Even As Economies Slow

COMMENTS

Top 50 European Banks: Higher Rates Support Risk-Adjusted Capital Ratios

COMMENTS

European Banks: The Agile Will Come Out Stronger

NEWS

Australian Regulator's Reminder On Hybrids Should Be No Surprise


Asia-Pacific Banks' Digital Opening Raises Cyber Risks

Chart 1

image

Asia-Pacific banks have been hacked before, and they will be hacked again. We are incorporating this risk into our ratings on financial institutions. S&P Global Ratings believes the region's ever-more open and interconnected banking systems raise the threat of hacks and data breaches.

Financial institutions are increasingly on the cloud, sharing client data with a fintech firm, or relying on third-party service providers. With the addition of each new partner into a digital system, hackers get a new point of entry.

The pandemic has also conditioned much of Asia-Pacific to work from home, and to get their financial services on the internet. As banking moves online, the scope for cyberattacks rises.

On top of creating direct monetary losses, data breaches can damage the reputation of a bank and can hit a bank's credit profile. In jurisdictions where the entire industry incurs repeated, serious data breaches, or where regulators are particularly lax, we may downgrade our rating scores on all banks.

Moreover, a successful attack may pose systemic risks. The highly concentrated markets of Hong Kong, Singapore, and Australia are particularly vulnerable. An incursion that disrupts the operations of one large player in these markets could seriously unsettle the normal business of banks and their customers.

A Chain Is Only As Strong As The Weakest Link

The interconnectedness of global financial services and infrastructure mandates a robust digital framework. This accounts for the critical role that banks play in payment systems.

Asia-Pacific banks also often rely on partners for their cloud computing and open banking platforms. This involves a fresh set of risks. Amazon Web Services (AWS), Google Cloud Platform, IBM Cloud, Oracle Cloud, and Microsoft Azure control about 80% of the cloud service market, according to Gartner, a researcher. These five entities have access to key banking data and support core banking services.

For instance, an AWS outage in December 2021 affected several organizations and their thousands of users. In September 2021, a glitch in the AWS platform disrupted a wide swath of online services. Affected entities ranged from financial institutions to Haneda Airport, where airlines temporarily lost the capacity to check in passengers.

Similarly, Asia-Pacific banks' adoption of open banking is an opportunity for hackers. Open banking involves the sharing of sensitive customer data among a wide range of fintech companies and third-party service providers. This allows clients to move seamlessly from one service provider to another. But as more parties handle data, hackers have more ways to infiltrate and steal information.

Australia, Hong Kong, Singapore, South Korea, mainland China, India, New Zealand, Japan, and India are at various stages toward implementing open banking. A major bank could partner with a small fintech firm, which may not have resources for a robust cyber defense. Attackers targeting entities with weak security could get a back door into the data of larger, better defended banks.

Large banks across Asia-Pacific have resources at their disposal to prepare and invest in strengthening their cyber resilience. However, this doesn't necessarily protect them from a breach. Attackers could target entities or service providers with the weakest security and harm leading players.

The threat of a systemic risk is potentially more acute for banking systems where most banking assets are concentrated in a relatively small number of banks. This could include banking systems such as Australia, Hong Kong, and Singapore, noting also that institutional framework in these jurisdictions is very sound by international standards.

Data Breaches Could Prove Crippling For Individual Banks

Certain industries, such as financial services or health care, are at greater risk of data breaches. Sensitive information such as credit card or bank account numbers, bank transfers, or social security number are extremely valuable to a hacker. Lost laptops, improper disposal of private data, and targeted attacks by hackers infiltrating a company's network can also lead to data breaches.

We have not downgraded any Asia-Pacific bank as the result of a cyberattack. However, the hit to individual institutions could be crippling. This could be particularly true for banks that have not invested enough in their cybersecurity.

How The Regional Regulators Break Down In Managing Cyber Risk

To prevent attacks, Asia-Pacific regulators will need a dogged determination to understand and manage risks. This points to the need for collaboration, and cross-border information sharing to build cyber resilience across entities to prevent systemic risk.

Regulators are key to setting standards for banks, and guiding them toward collaboration. Such bodies are focusing on industry partnerships, pilot projects, sharing of best practices, and the like. This underscores how critical cybersecurity is to the smooth functioning of an economy and key services. Accordingly, it is helpful to see what regulators are doing in each market:

Australia

The Australian Prudential Regulation Authority (APRA) released the final version of its CPS 234 in November 2018. The document sets prudential standards for information security. It aims to ensure financial institutions manage information security, including preventing cyberattacks. The rules have been in effect since July 2019. The board of a regulated financial institution bears ultimate responsibility to comply with this standard. In 2020, APRA announced its 2020-2024 Cybersecurity Strategy to focus on rising digital threats.

APRA concluded two pilot initiatives under this strategy. The first targeted data collection on financial institutions' technology resilience. This involved surveying banks on a number of IT and cyber topics, including IT resourcing, system health, information security capabilities, and disaster recovery statistics.

The authority also conducted an independent assessment of entities' compliance with CPS 234. The initiatives reinforced the view that boards need to be directly involved in overseeing an institution's digital resilience.

The Council of Financial Regulators has released a Cyber Operational Resilience Intelligence-led Exercises framework to identify systemic weaknesses. The council recently completed a pilot exercise based on this framework.

Mainland China

Regulators guide Chinese banks on cyber risks. The dual mandate to focus on digital security and digital development was reiterated in the latest Fintech Development Plan (2022-2025) issued by the People's Bank of China (PBOC).

The plan laid out digitalized regulatory supervision and a framework for risk controls. Detailed rules address the many facets of internet risk, such as data security, anti-fraud assessments, system stability, and stress tests.

Regulators also focus on privacy protection, offering technical specifications and data safety guidelines. This is in addition to mainland China's Personal Information Protection Law, rolled out in August 2021.

For more details, see "Commercial Bank Application Program Interface Security Management Specification," published by the PBOC in February 2020, "Interim Measures For The Administration Of Internet Loans Of Commercial Banks," published by the China Banking and Insurance Regulatory Commission (CBIRC) in July 2020, and "Notice Of The Measures For The Supervision Of Information Technology Outsourcing Risks Of Banking And Insurance Institutions," published by CBIRC in December 2021.

Hong Kong

The Hong Kong Monetary Authority set up a Cybersecurity Fortification Initiative (CFI) in 2016. CFI is a comprehensive framework to elevate the internet resilience of banks in Hong Kong. This three-pronged approach covers:

  • A common framework for banks to self-assess their own risk profiles and determine the level of defense and resilience required;
  • Training and certification programs to increase the supply of qualified professionals in cybersecurity; and
  • Sharing of threat intelligence among banks to enhance collaboration.

An enhanced version was launched in 2021 after factoring in the feedback received from the banking industry.

India

The Reserve Bank of India (RBI) put in place a cybersecurity framework for banks in India in 2016. The framework includes guidelines such as a need for a board-approved internet policy, continuous surveillance arrangements, design of the IT architecture, network and database security, protection of customer information, and the like.

The RBI performs periodic drills. It recently conducted phishing simulations on supervised entities, to assess their email security standards. The central bank is also rolling out reconnaissance exercises this year, to gather data on the preparedness of supervised entities.

The Indian Computer Emergency Response Team, which deals with cybersecurity threats, has looked at banking cases involving phishing, unauthorized access, and other issues. The Computer Security Incident Response Team-Finance Sector has been issuing intelligence alerts in real time to financial entities.

Indonesia

Otoritas Jasa Keuangan published a set of regulations on the implementation of information technology by commercial banks on July 2022. Here, the financial services regulator addresses standards for banks' IT governance, risk management, cybersecurity, and personal data protection.

The regulator recognizes digital adoption in the financial sector has accelerated since COVID, heightening cybersecurity risks. The policy seeks to ensure the financial sector is implementing sufficient safeguards while giving institutions room for innovation.

Japan

The Financial Services Agency of Japan has undertaken policies to strengthen cybersecurity in the financial sector since 2015. The agency has also annually conducted an industrywide cybersecurity exercise (called Delta Wall), beginning in 2016. Some 150 financial institutions participated in the latest exercise, in October 2021.

The number of small- and midsized financial institutions that participated in the exercise has increased in the country, particularly deposit banks, credit associations, and fund-transfer specialists. Such entities may be more vulnerable to cyberattacks than larger institutions with more resources.

The latest exercise aims to assess financial institutions' response to an attack, examining their technical ability, information sharing, and the continuity of services.

The exercise also scrutinized banks' decision-making when responding to an incident. It looks at participants' actions during the exercise, recommending improvement measures, and sharing best practices after the event. The lessons learned are shared with the entire industry.

Malaysia

Bank Negara Malaysia's cybersecurity push is built around its Financial Sector Blueprint (2022-2026). Upcoming initiatives include closer monitoring of third-party service providers, developing digital "contagion maps" for the financial sector, and implementing assessment frameworks.

The central bank has issued guidelines for cybersecurity since 2015. It has enhanced some of these guidelines recently to mitigate risks from digitalization. For example, in January 2020, it advised banks to significantly strengthen cyber-risk management in the areas of governance, controls, monitoring and surveillance, and response and recovery.

The central bank launched the Financial Sector Cyber Threat Intelligence Platform in September 2021 to facilitate sharing of threat intelligence and best practices. It also implemented its Cyber Incident Scoring System wherein financial institutions are required to immediately report any data incursions.

New Zealand

The Reserve Bank of New Zealand published guidance on cyber risk in April 2021. The document provides high-level, principles-based recommendations. The guidance outlines:

  • The roles and responsibilities of the board and senior management, and the need for an effective strategy for achieving digital resilience;
  • Capability building;
  • Information sharing; and
  • Third-party management.

The central bank carries about its work in conjunction with National Cybersecurity Centre, the Computer Emergency Response Team, and the Financial Markets Authority.

Philippines

Bangko Sentral ng Pilipinas in 2017 issued a circular addressing internet threats. This circular highlights the role of the board and senior management to create sound information-security governance, including a strong security culture.

The central bank also tightened the reporting regime of supervised institutions. Entities now need to disclose cyber incidents within two hours, tightened from a prior standard of 10 calendar days. Faster reporting aims to enhance the industry responsiveness. The central bank has also finetuned its policies to promote automated, real-time systems to detect fraud.

Singapore

The Monetary Authority of Singapore set up the Cybersecurity Advisory Panel in 2017. The panel advises the authority on cyberthreats, and best practices and strategies. Technology Risk Management guidelines cover digital risks. All financial institutions need to follow the guidelines, and they are used by the authority in its risk assessments of entities.

The authority has also signed a memorandum of understanding with the Banque de France, and the Autorité de contrôle prudentiel et de résolution (a prudential supervisory body) in 2019. The three entities together carried out a joint crisis management exercise in June 2022. This tested authorities' capacity to respond to ransomware, zero-day vulnerabilities, and IT supply chain attacks.

South Korea

The Financial Services Commission (FSC) has strengthened cybersecurity systems and monitoring for banks in Korea. Preventive measures include emergency planning and training to ensure banks maintain continuity after an attack, the evaluation of IT system vulnerabilities, disaster recovery plans, and the mandatory appointment of a chief information security officer.

In response to the pandemic, the FSC has required banks to strengthen their internal controls when employees work from home. This encompasses authentication and encryption.

In 2015, Korea established the Financial Security Institute to enhance security in the financial sector. The institute continuously monitors and responds to cyberattacks, and shares the information with other agencies and other financial service companies.

The institute has issued guidance for financial security governance, which outlines the roles of key players in information protection and the need to establish companywide governance standards for data security.

Taiwan

The government launched its Cybersecurity Management Act in 2019 with an initial focus on public enterprises and infrastructure. The Financial Supervisory Commission announced its Financial Information Security Action Plans in 2020. The document requires large and medium-size financial institutions to establish an information security framework, with a senior manager acting as chief information security officer.

This reflects Taiwan's preference to go beyond technical specifications to focus on governance. This guidance will likely be extended to more than 100 listed companies by the end of 2022.

Thailand

The Cybersecurity Act of Thailand has been in effect since May 2019. The act requires regulated entities to implement guidelines on cybersecurity in accordance with the national cybersecurity master plan. The National Cybersecurity Committee oversees this plan. The committee includes the prime minister of Thailand as the chairman, and directors from relevant public and private fields. It is also regulated by the Cybersecurity Regulatory Committee, which brings in the minister of the Ministry of Digital Economy and Society as the chairman, and directors from relevant public and private fields.

In addition, Thailand's finance, banking, capital markets, and insurance industries have established a Computer Emergency Response Teams for their respective industries. The teams share cybersecurity information on a daily basis.

Editor: Jasper Moiseiwitsch

Digital designer: Evy Cheung

Related Research

This report does not constitute a rating action.

S&P Global Ratings Australia Pty Ltd holds Australian financial services license number 337565 under the Corporations Act 2001. S&P Global Ratings' credit ratings and related research are not intended for and must not be distributed to any person in Australia other than a wholesale client (as defined in Chapter 7 of the Corporations Act).

Primary Credit Analysts:Nico N DeLange, Sydney + 61 2 9255 9887;
nico.delange@spglobal.com
Gavin J Gunning, Melbourne + 61 3 9631 2092;
gavin.gunning@spglobal.com
Secondary Contacts:Andy Chang, CFA, FRM, Taipei +886-2-2175-6815;
andy.chang@spglobal.com
Harry Hu, CFA, Hong Kong + 852 2533 3571;
harry.hu@spglobal.com
Ryoji Yoshizawa, Tokyo + 81 3 4550 8453;
ryoji.yoshizawa@spglobal.com
Ivan Tan, Singapore + 65 6239 6335;
ivan.tan@spglobal.com
Daehyun Kim, CFA, Hong Kong + 852 2533 3508;
daehyun.kim@spglobal.com
Deepali V Seth Chhabria, Mumbai + 912233424186;
deepali.seth@spglobal.com
Nikita Anand, Singapore + 65 6216 1050;
nikita.anand@spglobal.com
Shinoy Varghese, Singapore +65 6597-6247;
shinoy.varghese1@spglobal.com
Research Assistant:Priyal Shah, CFA, Mumbai

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.


Register with S&P Global Ratings

Register now to access exclusive content, events, tools, and more.

Go Back