In a note published last week, ratings agency Standard & Poors (S&P) said it viewed banks as natural targets facing a high threat of cyber-risk, although it considered the global credit risk of a cyber attack to be only medium, because it believes large banks have taken appropriate steps to mitigate known risks. However, cybersecurity is a continual battle, and S&P flagged the possibility of negative rating actions against banks with weak cybersecurity in the future.
Although there have been a number of security breaches, S&P has not as yet taken ratings action against any bank, as to date those breaches have not resulted in significant reputational or monetary damages. Nonetheless, S&P indicated that it might well downgrade a bank if a breach created serious reputational issues that could cause a significant loss of customers, or if the monetary or legal losses flowing from the breach materially impacted the bank’s capital.
It is important to note that S&P also suggested it might downgrade a bank even before an attack occurred where it believed the bank was ill-prepared to withstand a cyber attack. The note sets out some of the questions that S&P is currently asking bank management teams, in order to assess how well prepared they in fact are.
With cybersecurity already at the forefront of regulator’s minds in the UK (UK: Cyber-security – what level of security will be sufficient to meet a firm’s regulatory obligations?) and an increasingly large focus of the EU (The EU’s fight against cybercrime continues – attacks against information systems), potential action by ratings agencies is yet another in the long list of reasons for banks to make cybersecurity a priority.