- European banks are subject to a growing risk of cyber criminality and are potentially vulnerable to attack due to complexity created by the combination of old and new technology systems.
- Bank operations are inherently susceptible to cyber risk due to the threat of direct financial loss, their hosting of sensitive data, their exposure to business damage due to loss of confidence, and the possibility of regulatory punishment.
- Cyber risk assessment is part of our wider governance analysis and draws on input from cyber security experts, public information, interviews with bank management, and feedback from regulators.
A heightened threat of cyberattacks and the rapid digitalization of financial services has left European banks increasingly exposed to cyber risks. Industry and regulators are responding, but S&P Global Ratings believes that consistent cyber resilience remains a distant goal for the sector.
The risk to banks are manifold. A successful attack can mean direct financial loss due to the theft of funds, while indirect losses could stem from ransom demands linked to stolen data, lasting reputational damage that can lead to deposit outflows and affect access to debt markets, and regulatory fines.
Those dangers alone demand that a bank's cyber preparedness be considered when assessing creditworthiness. Yet we consider that the complexity of many banks' IT systems, and a shortage of cyber security expertise and investment has compounded risks faced by the European banking sector.
Banks Operations Are Inherently Exposed To Cyber Risks
While cyber threats are present across all industries, banks appear uniquely exposed to currently heightened risks. Some of that is circumstantial. The war in Ukraine has heightened tensions across the globe, though feared damage from widespread cyberwarfare has largely failed to materialize (see "Cyber Threat Grows As Russia-Ukraine Conflict Persists," May 11, 2022).
Meanwhile, the rapid digitalization of banking services, that accelerated with COVID-19 lockdowns, has sped a shift in the underlying IT systems and added complexity to banks' operations that has created weaknesses and opportunities for hackers. That combination is likely to have contributed to a notable increase in the likelihood that a bank will suffer a cyberattack, as tracked by cyber security specialist Guidewire (see chart 1).
Yet the business of banking also has inherent vulnerabilities to cyberattacks. Banks hold digital cash that can be stolen, sensitive client data that can be ransomed, and their business operations are particularly reliant on counterparty confidence. At the same time, the systemic nature of their operations, including their importance to the economy and financial systems, magnifies the danger of a successful attack, and particularly one that results in business interruption.
The scope for damage, and thus potential profits for cyber criminals, is magnified by the size of the institution targeted. And our analysis suggests that larger banks are at greater risk from cybercriminals (see chart 2). This likely reflects, among other things, a higher profile due to their typically larger number of customers and employees, greater complexity (and cross-border operations) that give rise to a greater number of potential vulnerabilities. And it may reflect their systemic importance given the key functions they perform in the financial system.
The systemic and societal risks inherent to a large scale cyberbreach at a bank has led to legislation, which has added potential regulatory intervention, including financial penalties, to the fallout from an attack. For example, breaching the responsibility to ensure the security of personal data, as set out in Europe`s General Data Protection Regulation (GDPR) can result in fines of up to 4% of a group's global revenue.
But it is not only breaches that can incur financial burdens. Prudential capital buffers applied to banks are partly determined by assessments of lenders' cyber risk exposure. This provides European regulators with the means to incentivize management to pursue best practice with regards to cyber preparedness. The European Central Bank is preparing to launch its first "thematic stress test on cyber resilience," according to reports that appeared in March, and which cited the bank's head of supervision.
The Danger Of The Digital Shift
Banking services' digitalization accelerated with the pandemic and show little sign of slowing. That has left IT investment and departments scrambling to keep up with demand, contributing to an often patchwork transition to new technologies, including cloud-based solutions, that can expose banks to increased cyber risk.
Older IT systems, which may have resided within banks for decades, have proven difficult to replace, particularly in backend operations. Yet their interface with newer systems can be imperfect, while the operation of transitory parallel systems creates overlaps that increase a bank's digital surface. Both create the potential for exploitable weaknesses in cyber defenses.
At the same time, the implementation of the EU's Revised Payment Services Directive (PSD2), which went into full effect in September 2019, opened the payment services market to greater competition by enabling non-bank companies to initiate payments. That opened the door to competition from fintech companies, which could also gain access to banking details (with client permission). And that, in turn, enlarged the playing field for payments, providing hackers with new targets. Inevitably, those new players soon began to report an increasing number of attacks. (see: "European Banks Face Risks In Race To Implement PSD2," May 16, 2019).
End-Of-Life Issues And The Cloud
The problems posed by older IT infrastructure can be particularly relevant when systems no longer receive support necessary to maintain their robustness. This gives rise to so-called end-of-life (EoL) systems, which emerge due to outdated programming languages that are no longer fit for purpose, or because external providers cease to provide security updates or bug fixes. Such systems are particularly prone to cyber security weaknesses.
EoL systems' security issues, and their basic reliability, can be compounded by a lack of IT personnel expert in their use, which further limits banks' ability to provide upkeep or repairs. EoL systems are more common among incumbent banks, whose long histories can create stratified IT infrastructure, with newer systems and features built on top of older systems. Recently launched banks, and notably digital only banks, typically have the advantage of being built around a unified and modern IT system, though they may still face challenges as their scale and complexity increases.
Cloud-based operations, which enable the outsourcing of both data storage and computing power, have fast emerged as the foundation of most banks' new IT systems. At its best, these systems offer banks a cost-efficient means to drive digital transformation. Yet the shift to the cloud has also created dependencies by placing a sizeable portion of responsibility for cyber protection with cloud service providers. Cloud services are dominated by a handful of large U.S. companies, notably Google and Amazon, which offer access to state-of-the-art cyber security and compliance standards. But the resultant concentration of services creates operational dependency that could prove a weakness for the European banking sector should providers experience issues. The EU's Digital Operational Resilience Act, known as DORA, will address the banking sector's digital resilience, including by seeking to mitigate risks associated with outsourcing to third parties. It will come into force in January 2025.
Banks can minimize dependency by adopting a multi-cloud model, though that comes at additional cost. The use of a cloud services provider also doesn't relieve a bank of the necessity to employ its own cyber preparedness measures (including maintenance of defenses, breach protocols, and recovery planning). Banks, notably, remain responsible for 'in the cloud' security relating to their operating systems, applications, and client and company data.
How Damaging Could A Cyber Breach Prove?
The credit quality of the European banks that we rate has, so far, been little affected by cyber incidents. It is to be hoped that continues, but it could quickly and dramatically change. Cyber criminality is increasingly sophisticated, while banks will remain vulnerable to damage from interruption of service, data loss, financial loss, and regulatory penalties.
To ascertain the likely extent of damage resulting from a successful cyberattack on a large bank, we modelled the cost of an unlikely but significant event at 94 European banks with revenues of over $1 billion in 2022. This calculation, called a tail-value-at-risk, measured the average loss for a major breach with only a 0.4% chance of occurring (otherwise expressed as an average loss for the 99.6% confidence level).
Our analysis, which used data from cyber security specialist Guidewire, showed that in the rare circumstances in which a major attack was successful at a large bank, a lender might suffer a loss, directly attributable to the event, of as much as 7% of its equity value. That is a magnitude of loss that could prove material to the assessment of a bank's credit quality (see chart 3).
Less alarmingly, the median loss across the entire distribution of estimated losses was a manageable, though still significant, 0.8% of equity. Even at the 75% confidence level it still averaged less than a 2% cost of equity loss.
Cyber Risk Is Credit Risk
We have witnessed only one instance in which a cyber-attack has contributed to the downgrade of a rated European bank (see " Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable," July 31, 2019). In that instance, Bank of Valleta was forced to shut down its internet access, its branches, and it cashpoints for several hours. The breach, along with other events, fostered our doubts regarding the robustness of the bank`s operational risk management, which we considered added to material litigation risks to which the bank was already exposed.
The assessment of Bank of Valletta is typical of how cyber risk contributes to our wider credit risk analysis and reflects our belief that a lack cyber preparedness is often a characteristic of generally weaker risk governance. Our bank rating surveillance assesses a bank`s exposure to cyber risk (both individually and relative to its peers) and the extent to which a bank has appropriate safeguards to minimize the effects of a successful attacks. Evidence of poor cyber preparedness can include the lack of a dedicated cyber risk framework, a failure to clearly delegate management responsibility for cyber risk management, the lack of an emergency plan in the event of a cyber breach, or the allocation of insufficient resources to cyber issues.
Our assessment incorporates market data provided by cyber security specialists and the use of public records. It also includes interviews with banks' management teams, which notably inform our view of a bank's record of dealing with cyber-attacks, the potential business implications of a breach, and the likely success of post-breach remediation actions. We also seek insights into IT budgets, a bank's cyber-relevant organizational structures (including staffing), and its technology architecture and systems. And we incorporate feedback from regulators, and from both internal and industry benchmarking exercises.
We acknowledge that our analysis of a bank's cyber risk preparedness is, at least partially, an analysis of past events, and that threats evolve, necessitating updates to policies and practices. The impact, if any, of a successful cyber attack on a rating will depend on its effect on a bank's credit metrics, and evidence that the target's financial position can (or cannot) absorb the direct loss and resultant damage to its business (see "Cyber Risk In A New Era: The Effect On Bank Ratings," May 24, 2021).
The mixture of prediction and analysis of past events in our assessment reflects the unpredictability of cyber risks faced by European banks, and the certainty that those risks will remain a pressing concern.
Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
Cyber Risk Management Is Credit Risk Management, Says Seminar, Nov 01, 2022
Australia's Banks Are Slowly Tuning In To The Risks Of Cyber Attacks, Oct 05, 2022
Asia-Pacific Banks' Digital Opening Raises Cyber Risks, Sep 27, 2022
Gulf Banks' Strong Capitalization Supports Resilience To Cyber Risk, May 16, 2022
Cyber Risk In A New Era: The Effect On Bank Ratings, May 24, 2021
Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable, July 31, 2019
European Banks Face Risks In Race To Implement PSD2, May 16, 2019
Writer: Paul Whitfield
This report does not constitute a rating action.
|Primary Credit Analyst:||Benjamin Heinrich, CFA, FRM, Frankfurt + 49 693 399 9167;|
|Secondary Contacts:||Giles Edwards, London + 44 20 7176 7014;|
|Nico N DeLange, Sydney + 61 2 9255 9887;|
|Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Nik Khakee, New York + 1 (212) 438 2473;|
|Markus W Schmaus, Frankfurt + 49 693 399 9155;|
|Cristina Polizu, PhD, New York + 1 (212) 438 2576;|
|Karim Kroll, Frankfurt 6933999169;|
|Miriam Fernandez, CFA, Madrid + 34917887232;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.