Cyber risks present a growing threat to financial institutions. A large-scale cyber attack can potentially have a considerable impact on an institution's ability to service its obligations in full and on time. The financial industry is a key target of cyber criminals because banks and other financial institutions store sensitive personal data and possess valuable information regarding financial transactions (see chart 1). Increasing digitalization in the banking system, and accelerated work-from-home arrangements in response to the COVID-19 pandemic, have further exposed the industry to cyber-criminal activity by significantly increasing online communication.

Chart 1

Cyber attacks have the potential to harm credit ratings through reputational damage as well as monetary loss. Nevertheless, in the event of a large-scale attack on a systemic bank or several large institutions we could foresee governments taking measures to stabilize the sector.

In our analysis on banks' creditworthiness, we may give consideration to cyber risks both at system-wide and at entity-specific level. Our system-wide banking sector analysis would capture cyber risks in a given country, when, for example, a banking industry as a whole suffered from a series of repeated, serious breaches of security, or if we saw that the regulators were more reactive than proactive in forcing financial institutions to strengthen their cyber security frameworks.

Our analysis of bank-specific factors (see diagram) captures the consequences of cybersecurity events in the following areas:

• The bank's business stability could be impaired by loss of customer confidence as a result of a successful attack. We also consider the ability to manage and prevent cyber risks as a part of our management and governance assessment.
• Potential losses from cyber events could lead to material losses and, in turn, hurt a bank's capitalization.
• Poorly managed cyber risks could expose structural weaknesses of a bank's risk management.
• A cyber event might result in severe reputational damage. This could potentially lead, in extreme cases, to sudden outflows of clients' funds and liquidity pressure.

The Pandemic Pushed Up Cyber Risks

Although consistent data regarding cyber incidents are not always available--not least because only a fraction of incidents becomes public--media reports of successful cyber attacks on financial institutions have increased. We believe the banking sector is becoming ever more exposed to cyber crime after the COVID-19 pandemic and work-from-home arrangements urged banks and other financial institutions to increase their digital presence.

The U.S.-based software company Guidewire reports that most publicly available cyber incidents at financial institutions are related to data breaches. The number of ransomware attacks is also on the rise. Relatively large financial institutions continue to be the most frequent targets of reported successful attacks (see chart 2). Yet, in our view no financial institution is immune to damaging cyber events, and institutions that do not invest enough in cyber security could be attacked frequently and successfully.

Chart 2

The Banking Sector Is An Attractive Target

We see several reasons why cyber criminals are keen to target banks.

Banks are a key pillar of nations' critical infrastructures.   They handle numerous monetary transactions allowing smooth functioning of economic activity and play a key role in payment processing. Cyber attacks could disrupt these activities.

A bank security breach gives attackers direct access to money.   For that reason, cyber attacks frequently directly target banks' payment infrastructure. The global provider of interbank money transfer services, SWIFT, has seen repeated attacks on its member banks, including on the 2016 Bangladesh central bank, one of the most prominent known cyber attacks, when $81 million was stolen by cyber criminals before the bank managed to prevent further money transfers.

Banks possess a wide range of personal data.  This is of interest to attackers because it can also be used for other malicious activities, such as identity theft. For that reason, bank customers (retail and corporate) often are the main target of cyber attacks, frequently considered as the "weakest link" in any cyber defense system. Attacks include sending out phishing emails that look like they are sent from the bank or, increasingly, social engineering on popular social media platforms. At the same time, attackers increasingly target bank employees using the same techniques, aiming to expose devices to malware that could then enter the bank's core system if the right endpoint controls are not in place. This could allow the attackers to get access to data that is normally only accessible behind banks' virtual private networks (VPN), which makes attacks on employees particularly sensitive.

Cyber attacks on banks are evolving and becoming more sophisticated, frequent, and coordinated. Attackers rely on modern technology and target weaknesses in banks' IT infrastructure. One example of this is by flooding customer-facing bank websites with traffic (a so-called distributed denial-of-service attack) to take them offline in order to either blackmail the bank or to steal bank customer data.

Overall, we believe that a combination of specific features--such as possession of valuable personal data and critical role in servicing particular financial or economic needs and segments--as well as an entity's weak awareness of potential cyber risks make a financial institution an attractive target for an attack.

The following characteristics indicate that a financial institution is less prepared for, and therefore more vulnerable to a cyber incident.

• Weak risk governance, with no dedicated cyber risk framework or clear management responsibility (for instance, when cyber risk is considered solely part of IT rather than part of the whole company's risk management framework). Evidence of this may be the lack of an emergency plan or insufficient resources to identify, isolate, and defend potential data breaches or attacks.
• Outdated and fragmented IT infrastructure with legacy systems in place. This incorporates outdated cyber-risk software without continuous patching of of automated teller machines (ATMs) and central servers. ATM networks have a lot of legacy hardware and software, which have become a popular target for cyber attacks. Another issue is a lack of back-up server capacity to redirect classic distributed denial of service (DDoS) attacks.
• Weak regulatory framework regarding cyber attack defense in a given jurisdiction. This affects banks with business in countries with higher risks and lower standards.

Limited Direct Impact On Bank Ratings To Date

The rating impact of a cyber incident would vary depending on the incident's characteristics and scope, and the extent of any resulting reputational damage or losses as a consequence. A theft of customer data may have a less material impact compared to a malware attack, for example. The rating impact would depend on how an entity's credit metrics changed as a result of the attack, and whether they were strong enough to absorb the losses and damage. One example of a rating impact was the downgrade of the Bank of Valetta after a cyber attack increased concern regarding the robustness of the bank's operational risk management (see "Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable," July 31, 2019).

A significant cybersecurity-related data breach at U.S.-based Capital One Financial Corp., in July 2019, did not result in a rating action, because we believed that direct costs associated with the incident were manageable for the entity, and the release of key customer data was limited (see "Capital One Financial Corp.'s Data Breach Increases Reputational Risks, Although The Direct Costs Appear Manageable," July 30, 2019). At the same time, we believed that the event underscored the importance of cybersecurity for banking institutions, and increased reputational risk for the entity.

Most recently, the Russia-based securities firm Freedom Finance reported data theft in December 2020, following a successful phishing attempt. The ratings were unaffected, owing to the company's resilient capital and earnings position (see "Freedom Finance's Data Breach Marginally Increases Risks To Strategy Of Building Commission Income," Dec. 28, 2020).

While cyber attacks have had only a limited effect on ratings on financial institutions so far, we expect them to trigger more rating actions in the future as cyber incidents become more frequent and complex.

How Cyber Risk-Ready Are Banks?

In our view, the key to cyber resilience lies in risk management action, both before and after an attack. In our analysis, we seek to understand how a financial institution manages its cyber risk exposure and how it would act after a potential attack to limit the damage.

In practice, we seek to understand an institution's awareness of cyber risk, the importance of cyber risk management, and the role of the Chief Information Security Officer (CISO) within the financial institution. We would also explore the extent to which cyber risk awareness is embedded across the different levels in an organization and the capabilities and resources it dedicates to cyber defense.

Given the importance of reputation and customer confidence within our assessment of relative credit risk, especially in financial institutions, we would also examine management response in the wake of the attack. Financial institutions with clear mitigation plans, that develop and test playbooks, and define their post-attack crisis management are better positioned to control a cyber incident and minimize reputational damage. In this respect, we think that leadership, communication, and transparency are key to limiting reputational risk and its potential impact on ratings.

Areas of discussion we would likely address in our analysis include:

• The bank's documented cyber risk management strategy, policy, and framework, including key strategic priorities in this area.
• The level of is cyber-risk awareness in the organization, including employee trainings.
• Budget allocated to cybersecurity, including revisions following COVID-19 pandemic.
• Whether the institution has experienced a cyber event that has lead to actual losses, and, if yes, what were the lessons learned and preventive actions taken.

(For further discussion on this topic see "How Ready Are Banks For The Rapidly Rising Threat Of Cyberattack?", published Sept. 28, 2015).

Strong Defense Measures Are Critical

Generally, we do not expect management teams to eradicate cyber attacks. However, what is critical to us is the way in which institutions respond. Although it is crucial to learn from previous attacks and strengthen cyber-risk frameworks in real time, the appropriate detection and remediation of attacks takes precedence because the nature of threats will continue to evolve.

We think it likely that cyber incidents will become more sophisticated, thus making them more difficult to handle. We therefore consider that the expansion of the organizational digital capabilities should be accompanied with strengthening and increasing the cyber defense and cyber risk management culture.

In particular, we expect organizations will enhance their cyber risk management frameworks. We believe cyber defense will become an increasingly important part of entities' general risk management and governance frameworks, in need of increasing spending and more sophisticated tools. We acknowledge, however, that this might not be straightforward for many entities, especially the ones with weaker risk-control frameworks and insufficient budget allocated for cyber defense.