articles Ratings /ratings/en/research/articles/240812-servicer-evaluation-spotlight-reportt-the-importance-of-cyber-security-for-u-s-and-canadian-servicers-in-a-c-13176120.xml content esgSubNav
In This List
COMMENTS

Servicer Evaluation Spotlight Report™: The Importance Of Cyber Security For U.S. And Canadian Servicers In A Challenging Environment

Covered Bonds Uncovered

COMMENTS

2025 U.S. Residential Mortgage And Housing Outlook

COMMENTS

Weekly European CLO Update

COMMENTS

Scenario Analysis: Middle-Market CLO Ratings Withstand Stress Scenarios With Modest Downgrades (2024 Update)


Servicer Evaluation Spotlight Report™: The Importance Of Cyber Security For U.S. And Canadian Servicers In A Challenging Environment

Over the last several years, cyber security, a crucial component in any servicer's operation, has taken on an increasingly visible role due to numerous high-profile data breaches impacting various industries. According to the cyber security research firm Check Point Research, the average number of cyber attacks per organization per week rose 38% in 2022 from 2021, and increased 28% in the six-month period ending March 31, 2024. The average number of weekly events has also grown year over year. We look at the importance of cyber security for U.S. and Canadian servicers and discuss how we assess a servicer's program in our evaluation review process.

The High Cost Of Corporate Inaction

Inaction against preventing cyber attacks can come with a high cost and remediation actions. For example, International Business Machines Corp. (IBM) noted in its Cost of a Data Breach Report 2024 that the average cost of a corporate data breach in 2024 was $4.88 million, a 10% increase from the prior year and the largest yearly increase since the start of the COVID-19 pandemic. Additionally, it was noted that 70% of organizations experiencing a breach indicated it was a significant or very significant disruption. Moreover, IBM said that 63% of organizations are planning to increase their security investments as compared to last year when the figure was 51%, focused mainly on employee training as the top investment area.

As a result of cyber attacks and breaches, servicers have had to implement various corrective actions, including suspending certain customer-facing activities (website access, payment processing, etc.) and halting internal operations until an investigation determines the method of attack, the impact on systems, and how to stop the attack. Remediation actions, in addition to addressing the source of the breach, generally include notifying affected customers and offering credit monitoring services for a predetermined period of time. It is also not uncommon for litigation to be initiated on behalf of the affected parties, alleging inadequate cyber security procedures as the cause of the breach.

Assessing A Servicer's Cyber Security Program

While servicers have implemented various cyber security tools and programs, hackers continue to design increasingly sophisticated malware with the potential to penetrate companies' defense systems. Though not all companies have been impacted by cyber breaches, hackers are increasingly using AI and other tools to develop malware that can infiltrate even the most cutting-edge applications, so a servicer's cyber security program becomes even more important as hackers evolve.

S&P Global Ratings' servicer evaluation group recognizes that a sound cyber security program is a significant factor in the overall analysis of a servicer's operations. When conducting an operational assessment of a servicer, we ask the company to describe its overall cyber security program. The general topics we discuss include the following:

  • Its information security program and management team (e.g., the CEO, chief information officer, and chief information security officer);
  • Staff resources dedicated to monitoring company systems to triage and address potential cyber security threats;
  • Frequency of phishing and/or smishing testing programs, overall click rates, and remediation actions;
  • Timing of vulnerability scans and what internal and external tools are employed to assist in monitoring and identifying potential threats;
  • The incorporation of AI into the servicer's preventive tools and systems used to combat attacks and secure systems;
  • Frequency of external penetration tests and the vendor's rotation schedule, along with a discussion of the latest results;
  • Frequency of internal penetration testing and the results of the last test;
  • The servicer's data storage backup routines, including how data is backed up (i.e., the cloud, tapes, or both) and whether data is stored on air-gapped mediums;
  • Recovery time and recovery point objectives for the servicer's data and business units;
  • Frequency of a servicer's recovery exercises, including data backups to validate their restoration ability;
  • Data encryption practices at rest and in transit;
  • Plans to address potential ransomware attacks and the frequency of tabletop exercises;
  • Employee training on cyber and information security, including social engineering;
  • System and organization controls (SOC) 2 certification or other evaluations or tools used to assess the company's cyber security posture; and
  • The process to evaluate third-party vendors' cyber security posture.

Staying Ahead Of The Curve

Sustained investments in cyber security will be crucial for any business entity, especially servicers, as they will continue to experience ever-evolving threats requiring additional expertise, capital, and technology to stay ahead of the curve. Despite servicers' significant expenditure on cyber security staff and systems to support their programs, these preventative measures are only effective if the program is successfully implemented and maintained. Notwithstanding, even the best preventative measures will be continuously challenged by the ever-increasing sophistication of attacks.

A key focus for servicers will be whether they can keep up with the malicious actors who try to penetrate their systems and obtain non-public information, thereby disrupting operations, affecting customers, and posing significant financial harm to the company. New privacy and event-reporting regulations and compliance requirements from the states of California and New York impacted various industries including servicers, among others. Although not directly affecting servicing, the Securities and Exchange Commission has also stated that cyber security is one of its 2024 priorities when conducting examinations of broker dealers and investment advisors.

As servicers navigate ever-increasing cyber threats and the rollout of new government regulations, their dependence on the digitization of information and processes should be balanced with comprehensive and preventative cyber security controls in order to effectively combat the risks that lie ahead.

While this article focuses on the impacts of cyber security for the Servicer Evaluation ranking process, S&P Global Ratings has written additional articles that relate to cyber security across other industries and the potential credit impacts that they may have (see "Cyber Risk Insights: Navigating Digital Disruption Booklet Published," published July 9, 2024, and "Digital Booklet Published: Cyber Risk Insights," published Feb. 22, 2023).

The analysts would like to thank Marilyn Cline for her contribution to this report.

Related Research

This report does not constitute a rating action.

Servicer Analyst:Steven L Frie, New York + 1 (212) 438 2458;
steven.frie@spglobal.com
Secondary Contacts:Mark J Shannon, New York + 1 (404) 989 7655;
mark.shannon@spglobal.com
Adam J Dykstra, Englewood + 1 (303) 721 4368;
adam.dykstra@spglobal.com
Analytical Manager:Robert J Radziul, New York + 1 (212) 438 1051;
robert.radziul@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in