This report does not constitute a rating action.
FRANKFURT (S&P Global Ratings) July 21, 2023--S&P Global Ratings today said that while the recent data breach affecting several banks and other organizations around the world highlights vulnerabilities to risks from the outsourcing of services to and integration of third-party software, it does not expect the affected banks being exposed to additional operational or reputational risks not yet captured in its ratings on those entities following the attack.
Starting in early July, several banks, mostly in Germany and the U.S., had suffered data breaches exposing some customer data to attackers. This data mostly includes personally identifiable information, such as customers' full names and account numbers, but as far as we understand from media reports, no other sensitive information such as transaction details or online banking passwords.
The attack originated from a day-zero vulnerability in an encrypted file transfer software package MOVEit, which was used by a bank account migration service provider that cooperated with the affected banks. The attack was conducted by a Russian-based criminal group called CL0P, which demanded ransom to avoid publication of the taken data.
While several hundred organizations globally are affected by the MOVEit attack, the account migration service affected some major German banks, including Commerzbank AG (A-/Stable/A-2); Deutsche Bank AG (A-/Positive/A-2) and its Postbank brand; the German entity of ING Groep N.V. (A-/Stable/A-2), ING Deutschland (not rated); and a number of Sparda banks, which are part of the Cooperative Banking Sector Germany (A+/Stable/A-1). Based on media reports, we understand that within each of these organizations, only a relatively small number of customers were affected.
We expect the affected banks to have immediately and adequately managed risks from this incident without a lasting impact on their reputations. However, we think the incident highlights the risks arising from banks increasingly outsourcing services and integrating third-party software and IT into their operations (see "European Banks Face Risks In Race To Implement PSD2," published May 16, 2019, on RatingsDirect). The use of application programming interfaces for open banking solutions, which exposes online banking systems to third-party providers, is done to keep up with increasingly fast-paced technological development while keeping costs under control. However, we think the resulting operational dependency increases banks' vulnerability to cyber risks when providers experience issues. It will also likely trigger higher regulatory scrutiny because these dependencies require that banks develop strong risk-assessment capabilities with external service providers and constant monitoring and improving of cyber-security systems.
Related Research
- Cyber Risk and Credit Trends, Oct. 25, 2022
S&P Global Ratings, part of S&P Global Inc. (NYSE: SPGI), is the world's leading provider of independent credit risk research. We publish more than a million credit ratings on debt issued by sovereign, municipal, corporate and financial sector entities. With over 1,400 credit analysts in 26 countries, and more than 150 years' experience of assessing credit risk, we offer a unique combination of global coverage and local insight. Our research and opinions about relative credit risk provide market participants with information that helps to support the growth of transparent, liquid debt markets worldwide.
| Primary Credit Analyst: | Claudio Hantzsche, Frankfurt + 49 693 399 9188; claudio.hantzsche@spglobal.com |
| Secondary Contacts: | Regina Argenio, Milan + 39 0272111208; regina.argenio@spglobal.com |
| Heiko Verhaag, CFA, FRM, Frankfurt + 49 693 399 9215; heiko.verhaag@spglobal.com | |
| Richard Barnes, London + 44 20 7176 7227; richard.barnes@spglobal.com | |
| Harm Semder, Frankfurt + 49 693 399 9158; harm.semder@spglobal.com | |
| Anastasia Turdyeva, Dublin + (353)1 568 0622; anastasia.turdyeva@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.