Despite the many positives that technology brings to the global banking industry, it also comes with a host of challenges. At or near the top of the list, in Standard & Poor's Ratings Services' opinion, is cybersecurity.

Technological advances have played a major role in helping bank management teams improve margins and better monitor risks within the organization. In addition, new technology, such as mobile banking, has been at the forefront of product innovation, creating new revenue streams. However, at the same time, tech advancements have created competitive dynamics that could undermine a bank's business model if the bank doesn't embrace technology as it develops. At a basic level, if a bank is not technologically up to date, it runs the risk of losing some customers that expect a tech experience in line with peers. For example, if a bank doesn't offer the latest advances in mobile banking or the ability to use outside sources, such as Apple pay, to make credit card purchases, customers may go elsewhere.

Given banks' retail presence, the value of the data banks hold, and their function as key nodes in the global financial system--including being a conduit of currency--we view banks as natural targets facing a high threat of cyber-risk.

Nevertheless, we view the global credit risk of a cyberattack as medium because we believe large banks have taken appropriate steps to mitigate known risks. Among those steps are making it a high internal priority to install the proper measures to defend against attacks and upping the budget for cyberdefense (see "U.S. Financial Services Credit ratings Are Resilient To Cyber Security--For Now," published June 9, 2015, on RatingsDirect). If an especially malignant cyberattack is successful, however, it could put a bank's reputation at risk and cause serious monetary and legal damages.

Although some banks' tech systems have been breached, we have taken no rating actions on any banks worldwide because the breaches to date have not caused significant reputational or monetary damages. Still, we view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades.

We don't believe any cyberdefense is fail proof. But a strong, well thought out strategy, coupled with a rapid ability for a bank to understand when its systems have been maliciously penetrated and swiftly take the necessary actions, such as isolating the attack, is key to a successful cybersecurity strategy.

As cybersecurity in the banking industry becomes an ever more important topic, we've been getting a lot of questions about how the issue might play into our global bank ratings. Here are answers to some of these questions. (And watch the related CreditMatters TV segment titled, "How Cyberattacks Could Affect Global Bank Ratings," dated Oct. 2, 2015.)

Frequently Asked Questions

In Standard & Poor's view, how big of a problem are cyberattacks for the banking industry?

Assessing the amount of attacks and their cost is difficult because banks may not report their losses or even be fully aware that an attack has taken place. In addition, it may be difficult to quantify such losses. With this in mind, banks typically face low-level attacks ("pings") on a daily basis as would-be attackers assess the strength of a bank's security system.

According to a July 2015 Government Accountability Office (GAO) report, in 2012 and 2013 more than a dozen depository institutions in the U.S. sustained cyberattacks that prevented access to their public websites. In late 2014, JPMorgan experienced an attack that compromised personal information of tens of millions of customers, but the data was low-level--for example, it didn't contain Social Security numbers. In addition, according to law enforcement, depository institutions likely have incurred hundreds of millions of dollars in losses from breaches that allowed criminals to illegally transfer funds from corporate customer accounts and from ATMs.

Various breaches have also occurred outside of the banking industry that monetarily affected banks, such as stolen credit card information. An example is the Target breach in 2013, in which the personal information of 70 million customers was compromised. Banks incur a cost in card replacements, which is one reason why the banks involved in the breach recently rejected an attempt to settle with Target for $19 million.

Cyberattacks aren't only a U.S. phenomenon. Earlier this year, for example, cybersecurity company Kaspersky Lab, which is headquartered in Moscow, revealed that its work with law enforcement agencies in various jurisdictions had uncovered a two-year, billion-dollar theft from a range of unnamed banks around the world by a multinational gang of cybercriminals. They gained entry into banks' systems through employees' computers and then tracked down video surveillance to see and record the screens of staff who serviced the cash transfer systems. In this way, the criminals got to know the details of the bank clerks' work and were able to mimic staff activity in order to transfer money.

South Korea has seen several cases of security breaches for financial institutions in recent years--for example, cyberterrorism, hacking, and leaking personal data. These security incidents resulted in comprehensive regulatory measures to reinforce financial institutions' data security and protect personal data in the financial sector.

How would a cyberattack affect Standard & Poor's ratings on a bank?

So far cyberbreaches haven't led us to lower the ratings on global banks because those attacks didn't cause reputational issues or monetary or legal damages that significantly hurt profits. Still, we view weak cybersecurity as an emerging risk that has a potential to result in a negative rating actions, which could take place one of two ways. If we were to believe that a bank is ill-prepared to withstand a cyberattack, we could downgrade the bank before an actual attack. A downgrade could also result after a bank is breached if we believe the breach has caused significant reputational issues that could result in a major loss of customers or if the monetary or legal losses significantly hurts capital. Should the banking industry as a whole succumb to a series of repeated, serious breaches of security, we could also consider whether such developments were sufficient to warrant a worsening industry risk assessment in our banking industry country risk assessments (BICRA), which we use to set the anchor for our bank ratings.

What does Standard & Poor's believe is the source of cyberattacks?

Our understanding is that the most serious attacks on banks are coming from the following groups:

• Hostile nation-states: Likely the most sophisticated threat a bank faces, where motivation is largely political and banks could be most at risk when political tension arises.
• Terrorist organizations: The purpose is largely either monetary (to fund the terrorist group) or to disrupt the financial system.
• Criminal groups: Largely seeking monetary gain.
• Activist: To promote an ideology.
• Hackers: May have monetary incentives but also may attempt to disrupt for prestige or challenge.
• Industrial/economic espionage: The motive is to steal proprietary information, including confidential information such as merger and acquisition details.
• Company insiders: Unrestricted access allows this group to cause damage to the bank's system or steal confidential data when they leave the company.

How do these groups disrupt a bank's tech system?

• Denial of service: Users are unable to access their accounts.
• Phishing: Using authentic-looking information to direct users to fake websites requesting personal user information.
• Malware: Software designed to carry out harmful actions is loaded into a company's system.
• Virus: A program that infects a computer and may corrupt or delete data. Viruses are also spread to other computers via email distribution.
• Third-party infection: Because of banks interconnectivity with third-party vendors, central agents, exchanges, clearinghouses, and other financial institutions, banks could be infiltrated if any of their third parties are subject to a successful cyberattack or other information security event.

What are banks doing to protect against such attacks?

Management teams are taking steps to strengthen their banks' ability to withstand a cyberattack. They include:

• Internal enhancement of technology risk governance practices;
• Increasing spending to ensure the most up-to-date technology is used to spot malicious attacks;
• Internal education to make employees aware of the nature of phishing attacks;
• Increasing the oversight of third-party vendors;
• Using an outside group to purposefully infiltrate the bank's system in order to build defenses;
• Emergency planning strategies should a system be infiltrated;
• Making data containment plans once a system is infiltrated; and
• Creating auxiliary systems to ensure business continuity.

Below we discuss some of these efforts in more detail.

Improving technology risk governance and controls.  Large banks typically have a firmwide technology-risk committee, which reviews matters related to the design, development, deployment, and use of technology. It also monitors their effectiveness, including overseeing cybersecurity matters. This committee is usually chaired or co-chaired by the chief information officer, a position that has recently grown in importance given the role technology plays in a bank's business. Areas of focus in terms of cyber-risk include:

• Stopping malicious software and intrusions;
• Protecting infrastructure and applications from attack;
• Implementing control programs to manage identity, access, and data flow; and
• Analyzing threat intelligence and responding to attacks.

Third-party vendor assessment.  Banks impose a quality standard of cyber-readiness for third parties that they interact with. Typically, each third party is assigned a risk value. Based on the level of risk assessment, a bank will schedule various onsite visits with the third party. In addition, banks may even lend their own tech support to some third-party vendors.

Seeking external tech support.  Besides building its own staff to thwart cyberattacks, a bank may hire outside tech experts to assess its readiness. In such cases, the outside expert typically puts forth a plan to increase a bank's security system. The bank management team may then hire another outside party to ensure that the plan is being executed properly.

Internal training for phishing.   Banks typically send out e-mails enticing staff to click on certain features, like links, as a security test for employees. The targets are typically those in a decision-making capacity that have sign-off privileges that can influence business activity. Groups outside the bank also test the success rate of phishing attempts aimed at employees and rank the success rates versus other institutions, so that management can assess where they stand versus peers.

In Standard & Poor's view, do banks' efforts to prevent cyberattacks work?

Despite efforts to infiltrate bank tech systems, no serious breach has caused reputational or significant monetary losses. Still, no bank management team will want to publicly declare victory for this because it could motivate an attacker to prove them wrong or signal potential complaisance or apathy.

Cyberdefense is a continual battle, particularly as technology evolves. Disconcertingly, many tech experts believe that if a hostile nation-state put all its resources into infiltrating a particular bank's tech system, it would probably prove successful. The key at that point is how quickly the bank realizes the infiltration and how long it takes to isolate it so that the rest of the bank's system is not corrupted. For this reason, for example, U.S. banks work in close partnership with intelligence agencies and are alerted by them during times when U.S. political tensions could engender retaliation from a hostile nation-state.

What are the costs for banks to protect themselves against cyberattacks?

Few banks have disclosed the costs of cybersecurity, partially because it's difficult to parse out costs of technology solely for this purpose versus technology in general. Positively, technology budgets are up at most banks. We would find it disconcerting to learn of a bank cutting its tech budget amid other cost-cutting initiatives.

One bank though--JPMorgan--publicly announced it had spent $250 million for cybersecurity in 2014 and will increase the budget 80% over the next two years, to $450 million. Still, this totals only about 0.7% of 2014's expenses and is only a fraction of JPMorgan's roughly $94 billion of revenue. A larger budget to put toward tech is an example of the advantages big banks have over smaller banks. Cyberdefense is going to be needed for any bank (admittedly not as sophisticated as what the larger, global banks need), and a bigger revenue base helps defray some of the expense.

What are regulators and governments doing to ensure banks are prepared for a cyberattack?

Many bank regulators and government agencies across the globe have noted cyber-risk as a key problem and an area of focus. The U.S. Congress recently commissioned the GAO to study the vulnerability of banks to cyberattacks, which included an assessment of regulators in regard to cybersecurity. The report described how regulators attempt to tackle the issue of cybersecurity by first assessing a bank's risk level and then determining the appropriate level of the regulatory examination.

Based on this assessment, it is our understanding that highly complex systems require regulatory staff with specialized tech experience, requiring regulators to hire more of a specialized staff. One of the GAO recommendations was for regulators to better explore ways to collect and analyze data on trends in technology examinations across institutions.

Notably, in June 2015, the U.S. Federal Financial Institutions Examination Council issued a cybersecurity assessment tool that institutions and regulators may use to evaluate cyber-risk. The Office of the Comptroller of the Currency recently said it will gradually incorporate the assessment into examinations of national banks, federal savings associations, and federal branches and agencies. The assessment first identifies the amount of risk posed to the bank (assessing the bank's internal system, volume of transactions, and external threats) and also assesses its cybersecurity maturity, which includes risk management, security controls, and incident management. A bank's appropriate cybersecurity maturity level depends on its risk profile.

Various laws and policies have been established for U.S. federal agencies to enhance cybersecurity of critical infrastructure. Notably, the National Institute of Standards and Technology (NIST), a federal agency, took the lead in responding to an executive order to aid in improving critical infrastructure cybersecurity. NIST offers voluntary guidance for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition, it provides industry standards, so an organization can measure its level of preparedness for an attack. Although the framework was started for U.S. policy purposes, it is not a U.S.-only framework and is open internationally.

In addition, it is our understanding that information sharing exists between the U.S. government and the banking industry. According to the GAO report, the U.S. Treasury has taken several steps to improve information sharing with depository institutions. Specifically, the Treasury has:

• Disseminated cyberintelligence requirements of the financial sector to the intelligence community,
• Sought to declassify cyber-threat indicators to share with the financial community, and
• Sought to distribute early warning indicators to banks.

Also, other law enforcement agencies are involved such as the FBI, CIA, and local law enforcement, and there seems to be a communal effort across the industry and government to share information.

The EU is developing a directive on network and information security (NIS), which, if implemented, would require all member states to:

• Establish national NIS authorities to implement NIS strategies and cooperation plans and establish emergency response teams to respond to cyber threats;
• Exchange information and cooperate across the EU to counter NIS threats and incidents; and
• Promote a culture of risk management information-sharing between the private and public sectors on NIS matters. This includes a requirement for companies in specified "critical" sectors--which includes banking—to assess the NIS risks they face and adopt appropriate and proportionate measures to counter them, and to report significant breaches to the authorities.

The NIS directive is still being negotiated, and, in our view, any final rules are unlikely to be implemented in the next two years given that under EU rules member states have up to 18 months after EU authorities adopt directives to implement them.

In the U.K., financial authorities led by the Bank of England have developed CBEST, a framework for testing cybersecurity vulnerabilities in systemically important financial institutions. Recognizing that cyberattacks cannot always be prevented, CBEST aims to improve institutions' resilience and ability to recover after suffering an attack. The framework is also intended to allow the authorities to share with the industry the vulnerabilities that the tests identify, and how they should be mitigated.

In Japan, cybersecurity has been topical recently since the Financial Services Agency issued a policy on strengthening cybersecurity in the financial industry in July 2015 ("Policy of Approach to Strengthen the Cyber Security in the Financial Industry"). This policy aims to clarify the issues financial institutions need to address and share common awareness regarding cybersecurity with financial institutions, financial service users, and related institutions. (Notably, the policy is available only in Japanese at this stage.)

In Australia, though the Australian Prudential Regulation Authority (APRA) doesn't have a technology-risk prudential standard, it has released prudential practice guides on managing security risks for information technology (which takes a holistic approach and outlines its expectations for banks, insurers, and pension funds) and managing data risks. In July, APRA released its information paper on cloud computing. Australian banks are required to report data on breaches to supervisors and input this data into the Basel advanced approach to measure operational risk capital. We note though that these operational breaches are not limited to cyberattacks but encompass trading system issues, ATM errors, etc.

The largest Australian banks are a part of a global collection group for operational loss data where banks submit their data anonymously in exchange for access to other banks' data. Our view is that this approach affords a greater depth and richness of data for modeling purposes than would otherwise be derived from domestic-only sources.

In Latin America, cybersecurity regulation is slowly evolving, although large banks in the region--mainly subsidiaries of European banking groups--are taking a strong stance toward preventing cyberattacks by periodically reviewing their systems, mobile and electronic banking security networks, and tech infrastructure. European bank subsidiaries in Latin America are also doing a more comprehensive review because the European Central Bank, over the past 12 months, has asked for more detail on this matter. Some banks are even asking their auditors to include a cybersecurity chapter in their annual reports.

However, because very few jurisdictions have implemented Basel III, these nations in Latin America have no specific risk-weighted charges for operational or technological risks, and consequently there are some banks that are not prioritizing the matter.

In all, in Latin America, a significant gap exists between large and midsize to small banks in terms of addressing cyberattacks and their underlying risks, and with regulation not clearly addressing it, many jurisdictions in Latin America are not helping to narrow this gap.

Can a bank purchase insurance for losses occurring from cyberattacks?

Cyber-insurance is an emerging industry (see "Looking Before They Leap: U.S. Insurers Dip Their Toes In The Cyber-Risk Pool," published June 9, 2015). However, insurers are offering only a limited amount of insurance with gaps of exclusions, as insurers are acting cautiously given the difficulty to model cyber losses. As such, we would not look favorably on a bank that solely relied on cyber-insurance as its protection for a cyberattack.

What questions is Standard & Poor's starting to ask bank management teams to ensure they are prepared for a cyberattack before an event actually occurs?

We have begun to ask the following questions regarding banks' readiness for a cyberattack:

• How do you measure the exposure and report on cyber-risk?
• Do you have a robust, well-documented program to monitor cyber-risks?
• How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
• What areas does the bank feel are still vulnerable to attack?
• Does the bank have any third-party vendor oversight? If so, what kind and how much?
• What is the bank's readiness with respect to the NIST framework?
• How does the bank ward off phishing and diminish the likelihood of having data compromised from an internal breach?
• What's the internal phishing success rate?
• How long has it typically taken to detect a cyberattack?
• What containment procedures are in place if the bank is breached?
• Are emergency scenarios test-run?
• What software or other techniques are used to monitor attacks?
• What kind of expertise about cyberattacks exists on the board of directors?
• How much does the bank spend on cybersecurity, and what resources does it devote? What is the total tech budget this year versus last?
• What are the bank's capabilities versus peers, and how are they assessed? Is there information shared with peers?
• Does the bank have any insurance to compensate for a cyberattack?

A cyberattack is an emerging risk in all industries and could be particularly harmful to the banking industry if malicious attacks prove successful, given the sensitivity to confidence inherent in this industry. We believe banks and regulators have begun to take the initial steps to address the seriousness of the risk. However, we believe the risks of an attack, and the solutions, are only in the initial stages and will be a concern of risk managers and regulators for a long time to come.

Related Criteria And Research

Related Criteria

• Banks: Rating Methodology And Assumptions, Nov. 9, 2011
• Banking Industry Country Risk Assessment Methodology And Assumptions, Nov. 9, 2011
• Banks: Bank Capital Methodology And Assumptions, Dec. 6, 2010

Related Research

• U.S. Financial Services Credit Ratings Are Resilient To Cyber Security--For Now, June 9, 2015
• Looking Before They Leap: U.S. Insurers Dip Their Toes in The Cyber-Risk Pool, June 9, 2015
• Cyber Risk And Corporate Credit, June 9, 2015

Outside research

• "Cybersecurity Bank and Other Depository Regulators Need Better Data Analytics And Depository Institutions Want More Usable Threat Information," July 2, 2015 (GAO report to Congressional requesters)

Under Standard & Poor's policies, only a Rating Committee can determine a Credit Rating Action (including a Credit Rating change, affirmation or withdrawal, Rating Outlook change, or CreditWatch action). This commentary and its subject matter have not been the subject of Rating Committee action and should not be interpreted as a change to, or affirmation of, a Credit Rating or Rating Outlook.