Cyber risk is a growing threat that can affect credit ratings as attacks can compromise customer data and disrupt websites, with consequences for individual issuers and financial systems.
Cyber-attacks against financial institutions are an increasingly significant risk, Fitch Ratings says. Cyber risk is a growing threat that can adversely affect credit ratings as attacks can compromise customer data and disrupt websites, with detrimental financial or operational consequences for individual issuers and financial systems. Related reputational damage may weaken business and access to funding and capital markets.
In one of the latest reported attacks, payday lender Wonga said earlier this month that up to 270,000 customers in the UK and Poland may have been affected by a data breach.
Institutions with substantial consumer lending businesses and deposit franchises are most at risk of financially motivated attacks due to the scope for theft from customer accounts and the large volume of personal data they hold. However, larger institutions typically have stronger risk controls and regulatory oversight, mitigating some of the risks.
Institutions that provide trade execution, clearing and settlement services are more vulnerable to disruptively motivated attacks, due to their interconnectivity with the financial system.
Regulators have been increasingly vocal on cybersecurity and have urged cyber-attack stress testing. The chair of the U.S. Securities and Exchange Commission stated in 2016 that cybersecurity is the biggest risk to the U.S. financial system. Under the EU’s General Data Protection Regulation, which takes effect in May 2018, banks face potentially large fines – up to 4% of their global turnover – for security breaches of personal data. All organisations that use data from EU citizens must comply, regardless of their domicile.
Certain regulatory bodies are taking the view that cyber risk management should be internationally coordinated, as evidenced by committees and working groups such as The International Organization of Securities Commission’s Committee on Payments and Market Infrastructures and G-7 Cyber Risk Expert Group.
According to the European Central Bank, the average lag until a breach is detected was 146 days in 2016, down from 205 days in 2014. As information is shared across firms, cyber risk detection and response plans could improve, but coordination does not ensure that risks can be fully contained.
Insurance against cyber-attacks may cover nominal losses but may not contain reputational damage that could lead to client outflows or loss of investor confidence. Cyber insurance underwriting has increased in recent years. Fitch estimates that the U.S. property and casualty insurance industry wrote over USD1 billion in cyber-related insurance premiums in 2015 and expect these levels to grow in the coming years.