Digital disruption is a key change agent for businesses, their competitive and industrial dynamics, and the capital markets that fuel growth. Yet while technological advancement and adoption are rapidly catalyzing new networks across an increasingly interconnected world, the frenetic pace of technological progress exposes companies and countries alike to mounting cyber risks.
Both the threat landscape and the role cyber insurance plays in risk mitigation are changing: Cyberwar is now baked into any nation-state conflict, entities' reliance on third-partner vendors is exacerbating systemic risks, and it's more important than ever that cybersecurity be an embedded part of risk management, according to new research from S&P Global Ratings and S&P Global Market Intelligence.
The evident opportunities, risks, and solutions that materialize with digital disruption are becoming clear. After the COVID-19 pandemic dramatically accelerated the digitalization of markets by irrevocably altering the way consumers, communities, and companies operate, innovative technologies--spanning multi-factor authentication to smart contracts--have continued to transform entire segments of the global economy.
Markets appear to be on the eve of a new era led by the digitalization and decentralization of finance (DeFi) as well as the widespread adoption of cryptocurrencies and blockchain technologies. This complex and rapidly emerging ecosystem will both complement and disrupt existing market frameworks, with broad operational and credit implications. The emergence and acceptance of new digital asset classes will require the integration of traditional risk and performance assessments with fresh types of analyses. Broader acceptance from institutional investors may herald a new phase of rapid acceleration, even if cryptocurrencies and the broader DeFi ecosystem remain a small segment of the financial markets.
For example, we believe blockchain applications can reduce cyber risk by using a distributed ledger technology, and ensuring accuracy and efficiency--but can also introduce risk by making any changes harder, eliminating centralized operational safety nets, and introducing regulatory uncertainty. Likewise, stablecoins--cryptocurrencies with a market value generally tied to a specific fiat currency--may solidify as the premier digital currencies if they can peacefully coexist with the world of traditional finance without materially elevating systemic risks.
As in every new industry, some entities won't survive this rapid evolution, while others will become firmly established. Evolving regulations will define the future shape of the crypto ecosystem in the next two years, as the current market downturn and collapse of some crypto assets has sharpened policymakers' awareness of the need to address the DeFi ecosystem.
The banking industry is the foremost traditional sector at the epicenter of digital disruption. Technologies like banking as a service pose new opportunities for banks to distribute their products, attract new customers, and tap new business models. Meanwhile, the threat of cyberattacks and increasing cyber risks are prevalent across the interconnected banking systems in Asia-Pacific, with the highly concentrated markets in Hong Kong, Singapore, and Australia particularly vulnerable. Continuing to invest in cyber security and proactively managing risk in the face of evolving threats can help financial institutions mitigate risk.
Data breaches, ransom demands, and distributed denial-of-service attacks, among other forms of cyberattacks, can target entities spanning colleges and universities to utilities to international public finance and beyond. Ultimately, they risk weighing on credit quality, resulting in substantial monetary losses and undermining confidence in key institutions and infrastructure. Sovereigns, local governments, and other public entities face the particular risk of cyberwarfare, demonstrated most notably this year by Russia's cyberattacks on Ukraine.
Overall, the increasing frequency of cyberattacks is a relevant risk factor for our ratings analysis. For global corporate issuers, total negative rating actions where a cyberattack was a contributing factor more than doubled in 2020-2021 from the preceding two-year period--a trend we see likely to continue.
Whether organizations have embedded the following into their operations are key considerations: response plans, or business continuity and disaster recovery plans, that are defined, understood, and tested before an attack; backup procedures that ensure that critical data can be restored following a ransomware or destructive cyberattack; and backup systems that are isolated from network connections.
As issuers need to prepare for when--not if--they will be attacked, cyber insurance is the fastest-growing subsector of the insurance market. Both policyholders and insurers face credit implications. Strict underwriting and clear policies with precise wording are key to the sustainable development of the cyber insurance market--but this could leave issuers exposed to cyberthreats without sufficient liquidity to deal with the aftermath of a cyberattack. Policies might not explicitly include or exclude cyber coverage or cyberwarfare exclusions, which could result in an insurer not reimbursing costs that the policyholder might expect.
This report is part of S&P Global Ratings' "A World Redefined" 2022 research focus.
This report does not constitute a rating action.
|Primary Credit Analyst:||Molly Mintz, New York;|
|Secondary Contacts:||Alexandra Dimitrijevic, London + 44 20 7176 3128;|
|Ruth Yang, New York (1) 212-438-2722;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.