Cyber risks are in a constant state of flux, characterized by cyber attacks and incidents that are increasing in frequency and sophistication, and cyber security that is maturing in application and engaged in a technology arms race.

Why it matters:  The dynamic nature of the cyber risk environment necessitates the evolution of S&P Global Ratings' analytical approach to the assessment of cyber risk in structured finance.

In 2021, we published our view on the implications of cyber risk for structured finance (see "Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions?," Sept. 8, 2021). At that time, we noted structured finance transactions were not immune to cyber incidents and attacks that were increasingly common, wider in scope, and often increasingly sophisticated. Since then, attacks targeting structured finance issuers directly have been mercifully few. Yet there have been events of note, particularly against loan servicers--including Mr. Cooper Group (see "Mr. Cooper's Data Breach Reflects Increased Reputational Risks, Although Direct Costs Should Be Manageable," Dec. 15, 2023) and Latitude Finance Australia (see "Latitude Finance Australia's Master Trust Remains Functional After Cyber Attack," March 27, 2023)-- and their third-party vendors.

Increasing Cyber Risks Necessitate Continued Investment

Broadly speaking, cyber attacks affecting structured finance have shared some key similarities. They include quick resolution of the event, a lack of contagion from affected systems to other parts of the transactions, and timing that did not generally coincide with key securitization-related tasks (such as calculating and transferring remittance amounts). That combination of factors meant that cyber incidents have so far not affected securitization ratings.

That welcome record is, however, under constant and increasing threat (see chart 1). Megatrends, including ubiquitous digitalization and widespread deployment of AI (see "White Paper: Assessing How Megatrends May Influence Credit Ratings," April 18, 2024) could exacerbate cyber risk in financial markets. We expect that the increased cyber threat will have to be met with ongoing investment to maintain effective countermeasures.

Chart 1

Events Are Instructive Of Cyber Risks For Structured Finance

The sample scenarios we describe in our Credit FAQ, published in 2021, remain illustrative of some of the cyber risks faced by the structured finance sector. Two more recent events, noted earlier, also elucidate cyber risk elements as they pertain to the sector:

• The 2023 attack on Mr. Cooper interrupted user payment systems, which prevented client payments and exposed some customer information. Despite that, structural features in the transaction documents (including backup servicing advancers) enabled debt service payments to be made without interruption. The company said in a Dec. 15, 2023 filing with the SEC that it expected the attack would result in about $25 million of costs, including expenses relating to vendor services and the provision of complimentary identity protection for customers.

• The Latitude Finance cyber attack, also in 2023, cost the Australian credit card issuer about A$76 million (US$49 million), according to the company's first half 2023 results presentation, published on Aug. 18, 2023. Despite the severity of that incident, which included data theft, the potential for further damage was mitigated by the presence of sufficient backup systems and the fact that none of the 'credit card securitization trusts' were compromised.

Assessing Cyber Preparedness in Structured Finance

For structured finance transactions, cyber risk typically manifests as operational risk at various stages from collections, calculations, report generation, to distributions. These may ultimately have liquidity and credit implications.

The structural features of securitizations and the preparedness of key transaction parties have mitigated damage from past cyber attacks. Yet there has also been an element of luck. Damage and costs could have been worse if, for example, the incidents had coincided with vulnerable periods (such as when balances need to be calculated and remitted), had affected systems more important to a securitization transaction, or had taken longer to remedy. The possibility that negative rating actions could be a consequence of cyber related disruptions remains.

Our approach to evaluating an entity's cyber preparedness is inspired by the U.S.'s National Institute of Standards and Technology (NIST) framework, and incorporates a focus on its key elements: identify, protect, detect, respond, recover, and govern.

Cyber incidents aren't limited to the actions of malevolent parties, and can include outages in systems or communications infrastructure, including due to failed IT updates, programming bugs, accidents, and natural disasters.

We may employ a variety of means to assess a transaction parties' cyber preparedness, ranging from utilizing third-party evaluations to incorporating questions on cyber hygiene and response planning in our management review process (see box: Cyber Hygiene Queries).

Vendor Risks Can Be A Key Cyber Risk Element

The ubiquity of software and communications outsourcing means that rated entities' cyber risks inevitably include their ability to manage and mitigate exposure to third-party cyber risk. The potential for contagion from disruptions at key vendors is thus a consideration in our assessment, which will typically include appraisal of an entities' ability to work around vendor outages (part of business continuity planning); the ability to return to normal operations (recovery planning); and, where an event has occurred, an entity's understanding of the root cause and the adjustments that should be made to prevent similar incidents in the future.

The importance of an entity's third party cyber risk exposure, and management of those risks, is thus a further element of our analysts' assessment of cyber risk in structured finance, and may result in a number of related queries (see box: Third Party Risk Queries).

Change Is The Constant In Cyber Risk, Cyber Security, And Our Evaluation

The management of credit risk by structured finance entities will continue to motivate them to keep abreast of emerging cyber security risks, including those linked to new threat actors, attack vectors and tactics, and newer technologies. To be effective, their cyber security systems will have to adapt in scope, implementation, and technology.

That imperative is notably evident in relation to the accelerating application of AI, which poses threats to established cyber security systems, while also promising to bolster cyber defenses and improve cyber risk management. AI's application also has the scope to affect structured finance entities' risk profile and management in other ways, for example by refining risk assessment in asset underwriting and increasing asset-servicing efficiency.

As cyber threats and defenses evolve, so too will our assessment. The questions posed by our analysts will be adapted to ensure that our evaluation remains relevant and provides a comprehensive overview of entities' cyber risks and their potential to affect wider credit risks. By publishing those questions here, it is our hope to play a part in prompting structured finance entities to review their cyber preparedness, adopt rigorous cyber risk management frameworks (such as that provided by NIST), and be better positioned to adapt to the dynamic cyber risk landscape.

Editor: Paul Whitfield

Related Research

• AI and Quantum Computing: The Fundamentals, Sept. 10, 2024
• The Importance Of Cyber Security For U.S. And Canadian Servicers In A Challenging Environment, Aug. 12, 2024
• CrowdStrike Update Issues Highlight The Perils To Global IT Systems From Interdependency And Concentration, July 19, 2024
• White Paper: Assessing How Megatrends May Influence Credit Ratings, April 18, 2024
• Bulletin: Mr. Cooper's Data Breach Reflects Increased Reputational Risks, Although Direct Costs Should Be Manageable, Dec. 15, 2023
• Bulletin: Latitude Finance Australia's Master Trust Remains Functional After Cyber Attack, March 27, 2023
• Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions?, Sept 08, 2021
• Global Framework For Assessing Operational Risk In Structured Finance Transactions, Oct. 9, 2014