Cyber risk is increasing globally. Attacks on Australia-based entities have spiked in recent months, and S&P Global Ratings expects such breaches to continue next year. The success of hackers in obtaining sensitive personal data will encourage further attempts despite a general refusal by targets to meet ransom demands.

Australian organizations will need to improve their systems and tighten their defenses. We anticipate that regulators will increase monitoring and reporting of cyber risks.

In Australia cyberattacks have so far not directly affected credit ratings. But the more they occur, the greater the chance of negative credit action.

A Costly National Threat

Cyberattacks can interrupt business and damage reputations, which we consider as potentially material credit risks. This is in addition to the direct costs involved in boosting cyber resilience and restoring information security. The risks and associated costs of cyberattacks are rising.

Cyber risk is now a daily threat. In 2021-2022, the Australian Cyber Security Centre (ACSC) received more than 76,000 cybercrime reports: approximately one report every seven minutes. The ACSC considers the instance of events to be under-reported but growing in severity.

Investments in risk awareness and data security are increasingly sophisticated in order to identify and prevent firewall breaches. These investments are, in turn, weighing on financial returns and operating efficiencies--although to date not to such an extent to affect ratings. Online identity verification has strengthened and negated the need to retain detailed customer data. Such initiatives reduce the potential for cyberattacks.

From a governance perspective, the preparedness of management teams in combatting a breach and seeking support remains a key focus. To the extent that their insurance cover allows it, entities can draw additional expert help from insurers' support networks.

Cyberattacks have spanned both the private and public sphere in Australia. Governments, companies, banks, insurers, police, and universities are among those entities affected. Here is a snapshot of recent attacks:

Corporate And Infrastructure

The main consequences of cyberattacks for corporates are business interruption and reputational/brand damage (see "Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing," Nov. 7, 2022). Financial consequences from ransom payments or regulatory fines are typically manageable from a credit perspective. While one-off costs are temporary, damage to brands and business from loss of trust and weakened performance could be ongoing.

Until recently, cyberattacks on corporate Australia have been largely low in profile and have not affected large numbers of people. But the landscape is changing, as shown in cases of telecommunications company Optus (a subsidiary of Singtel Optus Pty Ltd.) and Australia's largest health insurer Medibank Private Ltd. The underlying corporate sectors, telecommunications and healthcare, face a higher--and more sophisticated--threat because of the sensitive personal information they hold. Infrastructure businesses such as those in the energy sector can also be at higher risk of attack due to the essential nature of their services.

Banking

In our view, Australian banks are attractive targets for cyberattacks. A successful attack can yield access to payment infrastructure as well as a wide range of personal information and data on companies and individuals. This may lead to substantial losses for those attacked.

We consider that cyber risks pose a threat to the stability of the heavily interconnected Australian financial system (see "Australia's Banks Are Slowly Tuning In To The Risks Of Cyber Attacks," Oct. 4, 2022).

However, cyber risk is unlikely to materially affect our credit ratings on Australian financial institutions. This is because of early steps taken by banks and the regulator to strengthen cyber risk management, strong industry collaboration, and the strong capitalization of the banking system.

To date the banking system has avoided crippling attacks but this may not last forever. Noteworthy cyber events during the past four years include:

There is a global shortage of people with cyber risk skills (about 2.7 million people according to the (ISC)2 Cybersecurity Workforce Study), and the Australian banking system is no exception. Worse, the banks are competing directly with technology companies for skilled workers.

In our view smaller banks may find it more difficult to attract and retain skilled talent compared with larger banks that have deeper pockets and are willing to pay for the necessary resources.

The size of banks in terms of customer base may also increase their susceptibility to a data breach. For banks with large relative customer sets (relative to revenue and capital) the risk of a data breach is much higher.

Other factors that may also play a role include the number of unique IP (internet protocol) addresses a company has, its volume of network traffic, and the general popularity of its website.

Sovereign And Public Enterprises

Governments and public entities, such as universities, often face similar cyber risks to the private sector. The consequences of incidents will however differ. Several rated entities across Australia have suffered data breaches in recent years, either through direct attacks on their own networks or via third-party vendors.

The costs of prevention and insurance are rising as public entities seek to stay a step ahead of cyber criminals. To date, we assess that the financial consequences have been small and manageable from a credit perspective.

In the past year alone, government-related targets have included the Australian Federal Police, the client management system of the National Disability Insurance Scheme, the payroll software provider to the government of South Australia, the University of Western Australia, and Deakin University. Less maliciously, there have also been privacy breaches caused by apparent human error, such as that which occurred at New South Wales government insurer iCare

In contrast to the private sector, we believe that governments face less reputational risk and potential for brand damage. It is much harder for residents to change their government than it is for consumers to change their bank or telecommunication provider.

Further, governments are generally not subject to the same regulatory penalties or civil litigation as the private sector. Governments also have much larger and more diversified balance sheets and nearly unfettered revenue-raising powers.

Similarly, despite the rising frequency of reported attacks on the Australian higher education sector, credit quality remains very strong. Retention rates are high, as most students stick with the same provider throughout their course of study.

The ratings on the Australian National University (AA+/Stable/A-1+) are supported by continued domestic and international student demand and strong financial outcomes. We do not see any signs of a shift in student preferences following a high-profile data breach that occurred in 2018.

Insurance

Insurance companies are both prone to attack and can be a provider of some cover and access to support services for those entities being targeted. Policies providing cyber risk cover are typically capped in terms of payments and have a relatively low order of payouts.

Insurers have moderated their provision of cover. This reflects the complexity of risk assessment, and of assessing the strength and quality of controls embedded. The credit risk implications revolve around the retention of exposure by the insurer and the appropriate pricing for risks accepted.

Additional elements of cyber cover include business interruption, data loss and restoration, liability arising from failure to maintain confidentiality of data, network or data extortion and regulatory expenses.

No credit ratings have been affected, or rating components, due to the consequences of a cyberattack on Australia based insurers.

The hacking of Medibank sought to exploit the release of confidential customer health data. The attack resulted in temporary system outages, disrupting operations and customers' access to the website. As the systems were not encrypted by the attackers and Medibank maintained access to its data, the attack was not classified as ransomware.

Structured Finance

We believe that securitizations have a lower direct exposure to cyber events due to the special purpose entities (SPEs) in these structures. However, the potential for negative impact could be more significant given the limited resources available to securitizations, and the reliance of SPEs on third parties.

The servicer, in our view, has the greatest potential for payment disruptions due to a cyberattack. We consider these risks in our rating analysis by understanding the operational preparedness of servicers and other transaction parties in our operational reviews as well as structural mitigants that may be available in the event of disruptions.

No cyberattacks to date have affected payment flows in securitization in Australia. In Europe in 2021 we saw the first structured finance transaction reporting an operational disruption following a ransomware attack on the originator and servicer (see "Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions?" Sept. 8, 2021).

Ransom: To Pay Or Not To Pay?

Ransom demands will continue to generate challenges for entities under attack. A ransomware attack and the associated demand for payment may be small but it can nevertheless cause unwanted notoriety and reputational harm.

Debate continues as to whether organizations that have received ransom demands should pay the ransom. In the Optus and Medibank cases, ransom demands were made but neither company paid.

The ACSC advises against paying a ransom. Despite the Australian federal government's position, some cyber industry participants recommend paying a ransom in certain circumstances. The argument for paying a ransom is that for proponents of cyberattacks this is a "business" and that restoration of data upon payment of a ransom will complete the transaction.

ESG Factors: Management And Governance

S&P Global Ratings assesses cyber risk as part of our assessment of management and governance. The relevant environmental, social, and governance (ESG) sub factors are risk management, culture, and oversight.

For both management teams and boards, the question of how to assess and manage cyber risks will gain greater attention in 2023. In many instances this will involve further upgrade and tightening of existing systems and procedures. Costs will increase, including for the hire of skilled staff with requisite expert skills in cyber technology.

Analysis of significant cyberattack events will help to determine lessons learned and provide valuable input into plans and strategies. In the case of Medibank, the Australian Prudential Regulation Authority has contributed to the terms of an external review being undertaken by Medibank and is increasing its supervision of the company.

An Unrelenting Battle

Communication about cyber risk management will increase in 2023, partly in response to increased demands and expectations from investors, regulators and customers.

Key questions for many organizations will be what customer data are appropriate to request, how the data is to be received, whether it needs to be kept in a business context, and if so, for how long. We expect to see more in-depth reporting of cyber risk in organizations' annual reports.

The battle against cyberattackers will be unrelenting. Strong defenses are key.

Related Research

• Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing, Nov. 7, 2022
• Cyber Trends And Credit Risks, Oct. 25, 2022
• Australia's Banks Are Slowly Tuning In To The Risks Of Cyber Attacks, Oct. 4, 2022
• Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions? Sept. 8, 2021

Editor: Lex Hall