articles Ratings /ratings/en/research/articles/240704-cyber-risk-insights-fortifying-digital-defense-key-for-asia-pacific-banks-13167042.xml content esgSubNav
In This List
COMMENTS

Cyber Risk Insights: Fortifying Digital Defense Key For Asia-Pacific Banks

COMMENTS

Global Fund Ratings As Of July 2024

Global Banks Midyear Outlook 2024

COMMENTS

Cambodian Banks: The Struggle Is Real

COMMENTS

Your Three Minutes In Cyber Security: New Rules Will Change EU Banks' Management Of Third-Party Provider Risk


Cyber Risk Insights: Fortifying Digital Defense Key For Asia-Pacific Banks

Asia-Pacific financial institutions face increasing cyber threats. Third-party breaches are the most pressing sources of risk for banks, in our view. So too, is the task of finding 2.5 million skilled cyber staff in Asia Pacific needed to deal with the threat, according to the World Economic Forum (WEF), a think tank. S&P Global Ratings believes these risks could have both financial and ratings implications for the entities under our coverage. For smaller banking institutions, that often rely on third-party service providers and have fewer cyber-skilled staff to keep a lid on costs, the threat is acute.

More Frequent And More Sophisticated Threats

Because of the access they provide to payments systems and the sensitive information they hold, banks remain a key target for hackers. In the first quarter of 2024, Asia-Pacific recorded a 16% year-on-year increase in cyber-attacks--among the highest in the world, according to data from Checkpoint, a global provider of cyber-security solutions.

As technology evolves so too does the probability of successful attacks if risk-management practices do not keep pace. Increased digitalization and advances in AI are coinciding with heightened sophistication of methods used by cyber attackers. This includes in areas such as social engineering, phishing, and the use of generative AI. Attackers will focus on identifying areas of weakness. For banks, the risk may come from their interaction with third parties who themselves fail to properly mitigate cyber risks.

Other elevated risks include the interconnectedness of banking systems, across jurisdictions and within individual countries, and the potential for reverberation.

Third-Party Interaction Presents Supply-Chain Risk

Banks must be prepared for the likelihood that third parties will continue to be exploited. Recent attacks in Asia-Pacific and elsewhere demonstrate that bad actors can stage attacks by identifying and exploiting weaknesses in the cyber risk management of third parties. Attackers can use supply chains--a service provider or a third-party software--to exploit trusted relationships to gain initial access to a bank.

Given the ease of access in instances where the defenses are weak, such attacks are likely to recur, in our view. Many of the recent attacks have involved ransom demands, some of which have purportedly been paid.

Increase in Third Party Technologies Highest In Asia Pacific

Guidewire data suggests that third party cyber risk in Asia-Pacific has also been increasing more than what we have observed globally. Guidewire's data monitors the use of third-party technologies, which includes, for example, libraries, tools, and platforms to build a website's technology stack.

Table 1

Asia-Pacific has the highest increase in the use of third-party technologies
Banks and bank holding companies, revenue more than $5 billion
Region April 2023 April 2024 Change
Asia-Pacific 2.53 3.14 0.60
EMEA 2.47 2.80 0.33
North America 2.74 3.22 0.48
South America 3.14 3.71 0.57
Range: 0-Minimal use of third-party technologies; 1-Low use of third-party technologies; 2-Moderate use of third-party technologies; 3-High use of third-party technologies; 4-Substantial use of third-party technologies.
EMEA--Europe, Middle East, Africa. Number of different web technologies used on a website, including JavaScript libraries, analytics and tracking tools, recruitment systems, audio/video media platforms, and other enhancements to content and functionality. Source: Guidewire.

Smaller Banks Increasingly Vulnerable

The data also suggests smaller banking institutions face a greater risk than their larger counterparts because of their greater reliance on third-party technologies. Larger banks, in contrast, develop many of these systems inhouse.

Table 2

In Asia-Pacific the use of third-party technologies is greater among smaller banks
Banks and bank holding companies, revenue more than $5 billion
Revenue Asia-Pacific
US$100 bilion plus 1.50
US$50 billion-US$100 billion 2.50
US$10 billion-US$50 billion 3.06
US$5 billion-US$10 billion 3.75
Average 3.14
Range: 0-Minimal use of third-party technologies; 1-Low use of third-party technologies; 2-Moderate use of third-party technologies; 3-High use of third-party technologies; 4-Substantial use of third-party technologies.
EMEA--Europe, Middle East, Africa. Number of different web technologies used on a website, including JavaScript libraries, analytics and tracking tools, recruitment systems, audio/video media platforms, and other enhancements to content and functionality. Source: Guidewire.

We view the following factors as driving the increase in third-party cyber risk in Asia-Pacific:

Increased digitalization during the pandemic.  During this time, customers made more use of online banking services and bank staff worked from home. Banks are also paring back their branch infrastructure to lower their cost base.

Increased use of cloud-based service providers.  Banks are using this to achieve greater operational efficiency, cost savings, and agility. On the one hand, moving to the cloud may increase cyber risk complexity; on the other, it could also enhance security. Large cloud-based service providers have strong cyber security governance and compliance.

The advent of open banking in the region.  This technology allows more third parties access to a bank's IT systems thereby increasing risk. Financial institutions are also increasingly exploring business opportunities with fintech companies.

Smaller banks are more likely to use third-party service providers to save costs and achieve economies of scale. This is particularly true for smaller banks that use off-the-shelf core banking products and for jurisdictions where competition is increasing, for example Australia.

We expect cyber risk management and governance among third parties to be generally less stringent compared with highly regulated banks. Non-prudentially regulated third parties often face less regulation and may not need to comply with stricter industry standards set for banks. Nor do unregulated third parties face routine inspections.

Regulators: Tightening Scrutiny On Third-Party Risk Management Will Help

New regulations are increasingly focusing on third-party risk management. This includes establishing or updating the regulatory frameworks and increasing their level of scrutiny. In our view, increased regulation and supervision will strengthen banks' cyber risk management.

The Australian Prudential Regulation Authority has strengthened the operational risk management standard.  The regulator now requires banks to maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service-provider arrangements, including the management of material risks associated with the arrangements.

The Hong Kong Monetary Authority (HKMA) has conducted examinations of banks' management of cyber risk associated with the use of third-party services.  Following a review in January 2023, the HKMA listed a range of sound practices banks should follow to strengthen their supply-chain risk management. This included threat intelligence monitoring to cover third parties, and strengthening the preparedness of supply chains with scenario-based strategies.

The Financial Services Agency of Japan proposed a change to its regulatory framework over cyber risk in June 2024.   It extracted items related to cyber security from the supervisory guidelines and creating a more expanded and detailed guideline specific to cybersecurity of the financial sector. There is a stronger focus on strengthening security measures over vendors and service providers, including their subcontractors, due to an increased number of cyber incidents brought by third-parties.

The Monetary Authority of Singapore (MAS) conducted thematic inspections on the operational risk management standards and practices of selected banks in 2022.  The MAS focused on third-party risk management, and published an information paper setting out its supervisory expectations, good practices, improvement areas, and case examples observed from the inspections.

Bank Negara Malaysia (BNM), the country's central bank, remains focused on risks related to third-party service providers.  In November 2023, BNM led a simulation with banks that have large branch and ATM networks to test the industry's controls and response to potential disruptions in third-party services affecting cash operations. The exercise provided insights on how to strengthen existing arrangements with alternate service providers to ensure continuity of businesses and services.

The Reserve Bank of India has highlighted aspects that banks should observe in their operational controls and governance structure while outsourcing services.  Some examples include ensuring that third-party vendors implement strong data-protection measures and conduct regular audits and assessments adequacy of the vendors' risk management practices, compliance with laws and regulations, etc.

The Reserve Bank of New Zealand set out a risk-management guidance in April 2021.  Key elements of the guidance include third-party management planning and due diligence, negotiation, ongoing management, review and accountability, and termination.

The National Financial Regulatory Administration in China issued operational risk management rules for banking and insurance institutions, effective July 1, 2024.  The aim is to ensure data security risks are integrated into the institutions' comprehensive risk management system.

In Taiwan, The Financial Supervisory Commission released the Financial Cyber Security Action Plan 2.0 in 2022.  This is to ensure uninterrupted operation of the financial system, provide the public an environment of online transaction that inspires confidence, and to strengthen the cyber defense capabilities of financial services firms.

In Korea, financial regulators continue to strengthen the financial services companies' preparedness and resilience against increasing cybersecurity threats.  The Financial Services Commission (FSC) announced measures to further improve security governance of financial services companies recently. The FSC also set out security guidelines for the use of AI in the financial sector.

Banks Look To Boost Due Diligence, Automation

In our view, banks are adhering to regulatory requirements to manage supply-chain risk, and this will lift the level of third-party risk management in banks. This does, however, pose a greater test of compliance for smaller banks, given increased regulatory complexity, fewer resources, and greater reliance on third parties.

Our meetings with bank management reveal some of the key steps they are taking:

  • Due diligence to evaluate the risk profiles of third-party vendors before engagement.
  • Third-party risk management programs that cover the lifecycle of third-party relationships.
  • Advanced automation tools to manage third-party risks. Examples include vendor risk management platforms and security information systems.
  • Investment in training and awareness. Banks are investing in programs to ensure that employees understand the importance of third-party risk management and can handle related challenges.
  • Reducing reliance on providers of third-party services where they can.

Four Million Reasons Why The Cyber Skills Void Remains

Shortages in cyber risk skills combined with a limit on spending on cyber risk (relative to larger banks in Asia-Pacific) could become a credit weakness, especially for some smaller banks.

Amid increased digitalization and the emergence of AI, more cyber skills will be needed. Many banks also rely on legacy systems that need replacing. This will further squeeze cyber resources.

Between 2022 and 2023, the global cybersecurity workforce grew by 12.6%, according the to the WEF). A big year-on-year climb for any industry. But the talent gap is still far from filled. As of April 2024, the cybersecurity industry faces a shortfall of 4 million workers worldwide, the WEF says.

The shortage is most pronounced in Asia-Pacific, which lacks more than 2.5 million cybersecurity workers, followed by North America, which faces a gap of almost 522,000 people.

In addition, banks in Asia-Pacific are competing with an IT sector that also faces increasing demand for these skills.

Risk Mitigation Has Staved Off Rating Actions--For Now

So far, we have not taken any rating action in Asia-Pacific specifically related to a cyber attack, or risks thereof. But as attacks increase in sophistication and the attack surface widens, so too does the likelihood of a material event leading to a rating change.

In our assessment of financial institutions, we aim to understand how a financial institution manages its cyber risk exposure and the measures it would take to limit the damage from an attack. We reflect this in our management and governance assessment.

To date, we have observed only one instance where a cyber-attack has led to the downgrade of a financial institution: Malta-based Bank of Valletta PLC (see "Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable," July 31, 2019). Cyber-attacks have led to downgrades in corporate and government entities.

Our bank rating surveillance evaluates a bank's exposure to cyber risk, both individually and compared with peers, and what safeguards are in place to mitigate the impact of successful attacks. Indicators of poor cyber preparedness can include:

  • An absence of a dedicated cyber risk framework;
  • Unclear delegation of management responsibility for cyber risk;
  • Lack of an emergency response plan for cyber breaches; and
  • Insufficient resource allocation to cyber issues. This in turn can weaken our view of management and governance, potentially affecting the overall rating.

Our evaluation incorporates market data from cybersecurity specialists and public records, along with discussions with banks' management teams. These talks inform our assessment of a bank's history in handling cyber-attacks, potential business implications of a breach, and the likely success of remediation efforts.

We also consider insights into IT budgets, cyber-relevant organizational structures (including staffing), technology architecture, and systems. Our analysis considers feedback from regulators and both internal and industry benchmarking exercises.

A crack in third parties' defenses can take many forms. For banks, eternal vigilance and stronger defenses and cyber preparedness will be crucial in taking the fight to cyber criminals. Customers will demand nothing less.

Writer: Lex Hall

Related Research

This report does not constitute a rating action.

S&P Global Ratings Australia Pty Ltd holds Australian financial services license number 337565 under the Corporations Act 2001. S&P Global Ratings' credit ratings and related research are not intended for and must not be distributed to any person in Australia other than a wholesale client (as defined in Chapter 7 of the Corporations Act).

Primary Credit Analyst:Nico N DeLange, Sydney + 61 2 9255 9887;
nico.delange@spglobal.com
Secondary Contacts:Ming Tan, CFA, Singapore + 65 6216 1095;
ming.tan@spglobal.com
Deepali V Seth Chhabria, Mumbai + 912233424186;
deepali.seth@spglobal.com
Shinoy Varghese, Singapore +65 6597-6247;
shinoy.varghese1@spglobal.com
Kensuke Sugihara, Tokyo + 81 3 4550 8475;
kensuke.sugihara@spglobal.com
Ivan Tan, Singapore + 65 6239 6335;
ivan.tan@spglobal.com
Gavin J Gunning, Melbourne + 61 3 9631 2092;
gavin.gunning@spglobal.com
Nikita Anand, Singapore + 65 6216 1050;
nikita.anand@spglobal.com
YuHan Lan, Taipei +886-2-2175-6810;
yuhan.lan@spglobal.com
Daehyun Kim, CFA, Hong Kong + 852 2533 3508;
daehyun.kim@spglobal.com
Research Assistant:Naga Subramanian S, Chennai

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in