Key Takeaways
- In our view, securitizations have lower direct exposure to cyber events than non-special-purpose entities, such as corporates and financial institutions. However, the potential negative credit impact following a cyberattack could be more pronounced given the limited resources available to securitizations.
- Many of the structural features already in place to ensure operational continuity in structured finance transactions have positive spill-over effects on cyber readiness. These include cash reserves to address liquidity risks, performance triggers that may change the priority of payments, and replacement provisions for key transaction parties who may become materially affected by a cyber event.
- Concerns over a key transaction party's level of preparedness for a cyberattack, or demonstrated poor management of an attack, could increase operational risk, and potentially result in a ratings cap on the securitization.
- While we expect more structured finance transactions will be exposed to future cyber events, we believe transaction parties and deal structures are generally well positioned to manage these risks.
Cyberattacks are becoming more and more sophisticated, and structured finance transactions are not immune. At S&P Global Ratings, we have seen more credit-relevant cyber events in the last six months than in the previous six years, including the first structured finance transaction reporting an operational disruption following a ransomware attack on the originator and servicer (see "Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity," published July 14, 2021 and "Fraikin Recovering From Cyber Attack; Eurotruck Lease Securitizations Ratings Unchanged At This Time," published May 27, 2021).
We routinely reflect on recent cyber developments to sharpen our focus and to help us refine our forward-looking credit views. We explore several hypothetical cyber event scenarios to identify areas of potential risk, and consider how structural features common in securitizations may help issuers respond to, and recover from, a material cyber event.
Overall, we believe transaction structures are relatively well prepared to respond to a cyber event, and have not taken any rating actions directly attributed to a cyberattack to date. However, failure of the issuer to remedy exposure to a cyber event in a timely manner could lead to negative rating action.
Frequently Asked Questions
How could a structured finance transaction be vulnerable to a cyberattack?
Being established as special-purpose-entities (SPE), structured finance issuers typically do not have any IT infrastructure, external network footprints, or employees who may present network vulnerabilities for hackers to exploit. We therefore believe it is unlikely that they would be directly exposed to a cyberattack. However, an SPE's reliance on third parties to perform daily activities, such as collecting on the assets and arranging payments to creditors, introduces potential cyber vulnerabilities.
For the key transaction parties in a simplified securitization structure, shown below, we have identified some hypothetical scenarios where, in our view, the relationship between the issuer and the transaction party could expose a transaction to cyber risk. These scenarios are not intended to be exhaustive, but may help gauge the level of preparedness of securitizations to manage potential cyber events based on existing structural features.
What structural features could mitigate cyber risks?
The ability to make timely debt service payments on securitizations is generally dependent on the timely collection of payments from the underlying assets, the remittance of those collections to the issuer, and the disbursement to the issuer's creditors. Transaction structures typically contain numerous features that are designed to mitigate any disruption that may occur in this flow of funds, including from a potential cyber event.
| Structural features and mitigants | |
|---|---|
| Structural Feature | Mitigant To Cyberattack |
| Special-purpose entity | Being established as bankruptcy remote SPEs, securitization issuers generally do not have any IT network that hackers would be able to exploit. |
| Liquidity reserves | Transactions may contain cash reserves, lines of credit, or other liquidity facilities, which could be used to ensure timely interest payments are made on the notes, if there is a disruption in collections from obligors or delay in transferring these amounts to the issuer's account. This may prevent an event of default from occurring, until collections or account sweeps can be restored. |
| Performance triggers | If underlying borrowers were affected by a cyber event and delinquencies or losses in the collateral pool increased, performance triggers may change the transaction's priority of payments. For example, a pro rata payment structure may switch to sequential if certain triggers are breached, or a revolving transaction may begin to amortize, which would be expected to increase the credit enhancement for the senior notes. |
| Replacement of transaction parties | Transaction documents contemplate the replacement of transaction parties if they are unable to perform their roles. For parties who perform an administrative function, we believe that disruptions could be remedied without material delay, given the relative ease with which they can be replaced. |
| Minimum required credit ratings on financial counterparties | Financial counterparties in transactions, such as bank account providers or derivative counterparties, typically have minimum required credit ratings to remain eligible. When assessing the credit quality of these entities, we consider their governance frameworks and operational risk exposure, and where warranted their cyber risk approach. There are typically replacement commitments in place for counterparties who fail to maintain the minimum required credit ratings, or other remedies such as the counterparty posting collateral with a third party. |
| Back-up servicer | A back-up servicer may be appointed if the initial servicer is unable to perform its role. The operational readiness of the back-up servicer, such as hot, warm, or cold, may affect the timeliness of the servicing transition and period required to resume collections. |
| Data trustee | A data trustee may hold encrypted borrower data, which could be used by the servicer, back-up, or other transaction parties if the servicer's systems or electronic records were not available. |
| Cash manager | If the servicer is unable to determine the allocations of the available distribution amounts, an independent cash manager may use prior reports as a proxy to ensure timely interest payments are continued until the reporting is restored. |
| Direct debit collections | In our view, if there are disruptions at the servicer or collection account bank, it would be operationally easier to implement a change in payment instructions for obligors who pay by direct debit than for borrowers who select the account where payments are made to. |
| Indemnities | The servicer may remain liable for remitting to the issuer amounts deposited in the collection account that may be lost or inaccessible if the account provider is affected by a cyber event. |
| Sweeping frequency | A shorter sweeping frequency from the servicer's account to the issuer account may reduce the exposure to cyber events at the servicer and collection account provider by limiting the amounts on deposit. |
| Payment frequency | Transactions with longer periods between interest payment dates may have embedded liquidity as there may be more time following a cyber event to resolve issues before payments come due. Meanwhile, transactions with short legal maturity dates, such as asset-backed commercial paper, may be more vulnerable to default if there is a payment disruption. |
How does our credit rating analysis account for cyber risks?
The first line of defense against a potential payment disruption in a transaction, including those from a cyber event, is the effectiveness of the transaction party in limiting exposure to the risk and managing any disruption if the risk materializes. As a second line of defense, the presence of structural mitigants could remedy a payment disruption and ensure timely payments are maintained on the rated notes.
Performance key transaction parties. In our view, the servicer typically poses the largest potential for payment disruption in a securitization from a cyberattack. This is because the performance of the receivables, which are the primary source of cash flow to repay the rated notes, could be directly affected by a cyber event at the servicer. We believe the risk would be magnified for some asset classes that depend heavily on active, highly specialized servicers, (e.g., re-leasing, repossession, maintenance and/or remarketing services), or in sectors with a close linkage to an operating company (e.g., whole business securitizations). As part of our operational risk analysis, we may assess the disruption risk of key transaction parties, including a review of the senior management team, company track record, experience, and internal controls, with cyber risk being one of several factors that could influence our risk assessment (see "Global Framework For Assessing Operational Risk In Structured Finance Transactions," published Oct. 9, 2014).
The following questions may provide insight into an entity's relative state of cyber risk preparedness. Although it is not intended to be a checklist or to apply to every situation, it can provide a general example of what we might ask when speaking with transaction parties. We could request additional information or look for further policies and practices as the situation warrants, while in other cases it may be viewed as less relevant for our credit rating analysis.
Assessing Cyber Risk Preparedness
Who oversees the information security program (e.g., is there a chief information security officer)?
What steps have been taken to identify and protect assets and data from cyberattacks?
- Device registration and access controls (e.g., multifactor authentication and regular access audits);
- Firewalls;
- Staff training (e.g., phishing exercises);
- Anti-virus software, malware scans, and security-patch management;
- Vendor management; and
- Two-signature requirements on wire transfers and payments.
What policies and practices have been implemented to enable the detection of, response to, and recovery from a cyberattack?
- Data recovery plans, including offsite backups;
- Cyber event insurance;
- In-house or third-party legal counsel on retainer for cybersecurity matters;
- System scans to detect malware/attacks; and
- Ability to isolate attack from affecting entire network.
What was the response to material physical or cyber security breaches that have occurred?
In accordance with our criteria, where we believe operational risk could lead to credit instability and/or a ratings impact, we may limit the securitization's maximum potential rating.
Administrative key transaction parties. For administrative key transaction parties, such as the trustee, calculation agent, and paying agent, their roles are usually limited to executing certain instructions in the transaction documents. The skills required to perform these responsibilities are commoditized, making replacement relatively easier. Furthermore, administrative transaction parties are typically highly rated, regulated financial institutions, or subsidiaries thereof, and have robust risk management frameworks including a formal cybersecurity protection plan with regular stress testing. As a result, consistent with our criteria for analyzing operational risk, administrative key transaction parties usually do not constrain a transaction's maximum potential rating unless we have reason to believe that their track record is not satisfactory and their future performance could have an adverse impact on the rated notes.
How might a cyberattack affect structured finance credit ratings?
If a detected cyber event is likely to affect rated transactions, we would conduct a case-by-case review to determine if a rating action is warranted. We would typically consider the nature of the attack: how direct is the exposure, including the scope and size of the event, how likely it is to have a knock-on effect on the rated notes, and within what timeframe; and the terms and conditions of the notes. If there is a payment shortfall on the rated notes, we would consider any stated grace periods and the likelihood that the disruption could be remedied in a timely manner in determining whether a rating action is warranted.
For example, a severe ransomware attack that results in an immediate payment shortfall on the rated securities and is expected to persist for a prolonged time may warrant a rating action. Meanwhile, a data breach that could potentially result in future losses if the affected transaction party defaults, and if other structural mitigants prove ineffective, may not have an immediate impact on our credit ratings.
In our view, timely management of a cyber event is key to preserving the credit quality of a transaction. Depending on the nature of a cyber event, it may create either a temporary liquidity risk, or result in increased credit risk if the issuer suffers losses. We believe that, in most cases, liquidity risks would be the more likely outcome. As a result, in our view, securitization structures are generally well prepared to manage cyberattacks given the structural mitigants outlined above. However, if structural features do not prove effective in managing the fallout from a cyberattack, for example due to a prolonged period of disruption that depletes liquidity reserves available to an issuer, the potential ratings impact could be more pronounced than for non-special-purpose issuers. This is because SPEs have limited resources to make timely payments to their creditors, so any disruption in cash flows could be more severe than for other entities who have alternative sources of liquidity.
This report does not constitute a rating action.
| Primary Credit Analyst: | Matthew S Mitchell, CFA, Paris +33 (0)6 17 23 72 88; matthew.mitchell@spglobal.com |
| Secondary Contacts: | Claire K Robert, Paris + 33 14 420 6681; claire.robert@spglobal.com |
| Srabani C Chandra-Lal, New York + 1 (212) 438 5036; srabani.chandra-lal@spglobal.com | |
| Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.