Asia-Pacific financial institutions face increasing cyber threats. Third-party breaches are the most pressing sources of risk for banks, in our view. So too, is the task of finding 2.5 million skilled cyber staff in Asia Pacific needed to deal with the threat, according to the World Economic Forum (WEF), a think tank. S&P Global Ratings believes these risks could have both financial and ratings implications for the entities under our coverage. For smaller banking institutions, that often rely on third-party service providers and have fewer cyber-skilled staff to keep a lid on costs, the threat is acute.

More Frequent And More Sophisticated Threats

Because of the access they provide to payments systems and the sensitive information they hold, banks remain a key target for hackers. In the first quarter of 2024, Asia-Pacific recorded a 16% year-on-year increase in cyber-attacks--among the highest in the world, according to data from Checkpoint, a global provider of cyber-security solutions.

As technology evolves so too does the probability of successful attacks if risk-management practices do not keep pace. Increased digitalization and advances in AI are coinciding with heightened sophistication of methods used by cyber attackers. This includes in areas such as social engineering, phishing, and the use of generative AI. Attackers will focus on identifying areas of weakness. For banks, the risk may come from their interaction with third parties who themselves fail to properly mitigate cyber risks.

Other elevated risks include the interconnectedness of banking systems, across jurisdictions and within individual countries, and the potential for reverberation.

Third-Party Interaction Presents Supply-Chain Risk

Banks must be prepared for the likelihood that third parties will continue to be exploited. Recent attacks in Asia-Pacific and elsewhere demonstrate that bad actors can stage attacks by identifying and exploiting weaknesses in the cyber risk management of third parties. Attackers can use supply chains--a service provider or a third-party software--to exploit trusted relationships to gain initial access to a bank.

Given the ease of access in instances where the defenses are weak, such attacks are likely to recur, in our view. Many of the recent attacks have involved ransom demands, some of which have purportedly been paid.

Increase in Third Party Technologies Highest In Asia Pacific

Guidewire data suggests that third party cyber risk in Asia-Pacific has also been increasing more than what we have observed globally. Guidewire's data monitors the use of third-party technologies, which includes, for example, libraries, tools, and platforms to build a website's technology stack.

Table 1

Smaller Banks Increasingly Vulnerable

The data also suggests smaller banking institutions face a greater risk than their larger counterparts because of their greater reliance on third-party technologies. Larger banks, in contrast, develop many of these systems inhouse.

Table 2

We view the following factors as driving the increase in third-party cyber risk in Asia-Pacific:

Increased digitalization during the pandemic.  During this time, customers made more use of online banking services and bank staff worked from home. Banks are also paring back their branch infrastructure to lower their cost base.

Increased use of cloud-based service providers.  Banks are using this to achieve greater operational efficiency, cost savings, and agility. On the one hand, moving to the cloud may increase cyber risk complexity; on the other, it could also enhance security. Large cloud-based service providers have strong cyber security governance and compliance.

The advent of open banking in the region.  This technology allows more third parties access to a bank's IT systems thereby increasing risk. Financial institutions are also increasingly exploring business opportunities with fintech companies.

Smaller banks are more likely to use third-party service providers to save costs and achieve economies of scale. This is particularly true for smaller banks that use off-the-shelf core banking products and for jurisdictions where competition is increasing, for example Australia.

We expect cyber risk management and governance among third parties to be generally less stringent compared with highly regulated banks. Non-prudentially regulated third parties often face less regulation and may not need to comply with stricter industry standards set for banks. Nor do unregulated third parties face routine inspections.

Regulators: Tightening Scrutiny On Third-Party Risk Management Will Help

New regulations are increasingly focusing on third-party risk management. This includes establishing or updating the regulatory frameworks and increasing their level of scrutiny. In our view, increased regulation and supervision will strengthen banks' cyber risk management.

The Australian Prudential Regulation Authority has strengthened the operational risk management standard.  The regulator now requires banks to maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service-provider arrangements, including the management of material risks associated with the arrangements.

The Hong Kong Monetary Authority (HKMA) has conducted examinations of banks' management of cyber risk associated with the use of third-party services.  Following a review in January 2023, the HKMA listed a range of sound practices banks should follow to strengthen their supply-chain risk management. This included threat intelligence monitoring to cover third parties, and strengthening the preparedness of supply chains with scenario-based strategies.

The Financial Services Agency of Japan proposed a change to its regulatory framework over cyber risk in June 2024.   It extracted items related to cyber security from the supervisory guidelines and creating a more expanded and detailed guideline specific to cybersecurity of the financial sector. There is a stronger focus on strengthening security measures over vendors and service providers, including their subcontractors, due to an increased number of cyber incidents brought by third-parties.

The Monetary Authority of Singapore (MAS) conducted thematic inspections on the operational risk management standards and practices of selected banks in 2022.  The MAS focused on third-party risk management, and published an information paper setting out its supervisory expectations, good practices, improvement areas, and case examples observed from the inspections.

Bank Negara Malaysia (BNM), the country's central bank, remains focused on risks related to third-party service providers.  In November 2023, BNM led a simulation with banks that have large branch and ATM networks to test the industry's controls and response to potential disruptions in third-party services affecting cash operations. The exercise provided insights on how to strengthen existing arrangements with alternate service providers to ensure continuity of businesses and services.

The Reserve Bank of India has highlighted aspects that banks should observe in their operational controls and governance structure while outsourcing services.  Some examples include ensuring that third-party vendors implement strong data-protection measures and conduct regular audits and assessments adequacy of the vendors' risk management practices, compliance with laws and regulations, etc.

The Reserve Bank of New Zealand set out a risk-management guidance in April 2021.  Key elements of the guidance include third-party management planning and due diligence, negotiation, ongoing management, review and accountability, and termination.

The National Financial Regulatory Administration in China issued operational risk management rules for banking and insurance institutions, effective July 1, 2024.  The aim is to ensure data security risks are integrated into the institutions' comprehensive risk management system.

In Taiwan, The Financial Supervisory Commission released the Financial Cyber Security Action Plan 2.0 in 2022.  This is to ensure uninterrupted operation of the financial system, provide the public an environment of online transaction that inspires confidence, and to strengthen the cyber defense capabilities of financial services firms.

In Korea, financial regulators continue to strengthen the financial services companies' preparedness and resilience against increasing cybersecurity threats.  The Financial Services Commission (FSC) announced measures to further improve security governance of financial services companies recently. The FSC also set out security guidelines for the use of AI in the financial sector.

Banks Look To Boost Due Diligence, Automation

In our view, banks are adhering to regulatory requirements to manage supply-chain risk, and this will lift the level of third-party risk management in banks. This does, however, pose a greater test of compliance for smaller banks, given increased regulatory complexity, fewer resources, and greater reliance on third parties.

Our meetings with bank management reveal some of the key steps they are taking:

• Due diligence to evaluate the risk profiles of third-party vendors before engagement.
• Third-party risk management programs that cover the lifecycle of third-party relationships.
• Advanced automation tools to manage third-party risks. Examples include vendor risk management platforms and security information systems.
• Investment in training and awareness. Banks are investing in programs to ensure that employees understand the importance of third-party risk management and can handle related challenges.
• Reducing reliance on providers of third-party services where they can.

Four Million Reasons Why The Cyber Skills Void Remains

Shortages in cyber risk skills combined with a limit on spending on cyber risk (relative to larger banks in Asia-Pacific) could become a credit weakness, especially for some smaller banks.

Amid increased digitalization and the emergence of AI, more cyber skills will be needed. Many banks also rely on legacy systems that need replacing. This will further squeeze cyber resources.

Between 2022 and 2023, the global cybersecurity workforce grew by 12.6%, according the to the WEF). A big year-on-year climb for any industry. But the talent gap is still far from filled. As of April 2024, the cybersecurity industry faces a shortfall of 4 million workers worldwide, the WEF says.

The shortage is most pronounced in Asia-Pacific, which lacks more than 2.5 million cybersecurity workers, followed by North America, which faces a gap of almost 522,000 people.

In addition, banks in Asia-Pacific are competing with an IT sector that also faces increasing demand for these skills.

Risk Mitigation Has Staved Off Rating Actions--For Now

So far, we have not taken any rating action in Asia-Pacific specifically related to a cyber attack, or risks thereof. But as attacks increase in sophistication and the attack surface widens, so too does the likelihood of a material event leading to a rating change.

In our assessment of financial institutions, we aim to understand how a financial institution manages its cyber risk exposure and the measures it would take to limit the damage from an attack. We reflect this in our management and governance assessment.

To date, we have observed only one instance where a cyber-attack has led to the downgrade of a financial institution: Malta-based Bank of Valletta PLC (see "Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable," July 31, 2019). Cyber-attacks have led to downgrades in corporate and government entities.

Our bank rating surveillance evaluates a bank's exposure to cyber risk, both individually and compared with peers, and what safeguards are in place to mitigate the impact of successful attacks. Indicators of poor cyber preparedness can include:

• An absence of a dedicated cyber risk framework;
• Unclear delegation of management responsibility for cyber risk;
• Lack of an emergency response plan for cyber breaches; and
• Insufficient resource allocation to cyber issues. This in turn can weaken our view of management and governance, potentially affecting the overall rating.

Our evaluation incorporates market data from cybersecurity specialists and public records, along with discussions with banks' management teams. These talks inform our assessment of a bank's history in handling cyber-attacks, potential business implications of a breach, and the likely success of remediation efforts.

We also consider insights into IT budgets, cyber-relevant organizational structures (including staffing), technology architecture, and systems. Our analysis considers feedback from regulators and both internal and industry benchmarking exercises.

A crack in third parties' defenses can take many forms. For banks, eternal vigilance and stronger defenses and cyber preparedness will be crucial in taking the fight to cyber criminals. Customers will demand nothing less.

Writer: Lex Hall

Related Research

• Asia-Pacific Corporate Cyber Risks: What You Don't Know Can Hurt You, June 11, 2024
• Supervising Cyber: How The ECB Stress Test Will Shape The Agenda, March 6, 2024
• Cyber Risk Insights: Ongoing Vigilance Is Key To Gulf Banks' Cyber Risk Resilience, Feb. 19, 2024
• Cyber Risk Insights: Attack On Vulnerable Software Highlights Outsourcing Risk For Banks, July 22, 2023
• Cyber Risk Insights: European Banks' IT Complexity Amplifies Risk, March 23, 2023
• Malta-Based Bank Of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable, July 31, 2019