As banks and non-bank financial institutions (NBFIs) embrace the evolving digitization of financial services and become more interconnected through tie-ups and partnerships, risk controls have become increasingly important as cyber risk and other security threats have grown, Fitch Ratings says.
Cyber incidents have yet to result in ratings changes for banks or NBFIs. However, ratings would be sensitive to fallout from cyber events that have outsized or lasting impacts on an issuers’ financial stability, cause significant reputational damage or a sustained loss of client trust, negatively disrupt business operations or result in large fines or settlements.
Banks and NBFIs face varying levels of exposure to cyberattacks, depending on their perceived attractiveness by attackers such as criminal groups, terrorists, insiders, ‘hacktivists’ and nation states.
Financial companies are targeted for cyberattacks given large amounts of personal identifiable information (PII) and payment card industry (PCI) data as well as their systemic interconnectivity and strategic global economic significance.
Size and market position can often dictate type and degree of cyber risk. Systemically important banks, while often facing more complex ‘financially motivated’ and ‘disruptively motivated’ risks than smaller banks, generally have more sophisticated risk controls and resources to mitigate attacks.
While smaller firms may be less prone to large attacks faced by larger FIs, they are relatively more reliant on outsourcing of cyber risk management given their comparatively modest technology.
As banks increasingly migrate online, business activities most exposed to cyber risk include retail banking, lending and brokerage, given the sensitivity of the information.
For NBFIs, financial market infrastructure companies (exchanges and clearinghouses) are more exposed to disruptively-motivated cyber risk due to interconnectivity with the broader financial system. On the other hand, non-bank consumer lenders, asset managers and broker-dealers are more exposed to financially motivated cyber risks given the customer data involved.
Partnerships with financial technology (fintech) companies can increase financial institutions’ exposure to cyberattacks, as they provide more points of entry to compromise websites, client data and/or financial infrastructure. Greater reliance on third parties can also place access to sensitive data beyond the direct control of banks.
New technologies such as digitization, robotics, biometrics, artificial intelligence and advanced computing have been helpful in managing cyber risk; however, they have also increased firms’ potential exposure to cyber and other forms of security risk by opening up new channels for hackers.
Fitch expects financial institutions to face even greater scrutiny in light of proposed legislation in Congress and increased emphasis by bank regulators on cyber risk in their safety and soundness assessments.
This was evidenced by The Office of Comptroller of the Currency (OCC), which recently highlighted the need to update current technology systems for ongoing cyber security threats in its semi-annual report.
Even with well-designed and implemented internal cyber defenses and other security measures, financial institutions face increasing security challenges.
In July, Capital One announced that an outside individual gained access to the personal information of over 100 million individuals by breaching the company’s misconfigured firewall. Most of the data was tokenized and thus protected.
However, 140,000 U.S. Social Security numbers, 80,000 bank account numbers and one million Canadian Social Insurance Numbers (SINs) were compromised, with an estimated cost of $100 million – $150 million.
In November, Desjardins, a large Quebec-based cooperative group, announced that an employee had breached internal security measures, stealing the personal information of all of its 4.2 million members, including names, addresses, SINs, phone numbers and banking patterns costing an estimated $CAD70 million.
Strong cyber risk mitigation does not provide upside to ratings; however a severe cyber event caused by a lack of risk systems and controls could result in a downgrade.
Firms adopting best practices, comprehensive risk management strategies, policies, procedures and governance are best positioned to either prevent cyberattacks in the first place or quickly address and contain downside risks from a cyber event.