MELBOURNE (S&P Global Ratings) Sept. 27, 2022--Asia-Pacific banks have been hacked before, and they will be hacked again. We are incorporating this risk into our ratings on financial institutions. S&P Global Ratings believes the region's ever-more open and interconnected banking systems raise the threat of hacks and data breaches.
This is according to a report we published today, titled, "Asia-Pacific Banks' Digital Opening Raises Cyber Risks."
"Asia-Pacific financial institutions are increasingly on the cloud, sharing client data with a fintech firm, or relying on third-party service providers. With the addition of each new partner into a digital system, hackers get a new point of entry," said S&P Global Ratings credit analyst Nico DeLange.
The pandemic has also conditioned much of Asia-Pacific to work from home, and to get their financial services on the internet. As banking moves online, the scope for cyberattacks rises.
"On top of creating direct monetary losses, data breaches can damage the reputation of a bank and can hit a bank's credit profile. In jurisdictions where the entire industry incurs repeated, serious data breaches, or where regulators are particularly lax, negative ratings momentum could result," said S&P Global Ratings credit analyst Gavin Gunning.
Moreover, a successful attack may pose systemic risks. The highly concentrated markets of Hong Kong, Singapore, and Australia are particularly vulnerable. An incursion that disrupts the operations of one large player in these markets could seriously unsettle the normal business of banks and their customers.
Asia-Pacific banks also often rely on partners for their cloud computing and open banking platforms. This involves a fresh set of risks. Amazon Web Services (AWS), Google Cloud Platform, IBM Cloud, Oracle Cloud, and Microsoft Azure control about 80% of the cloud service market, according to Gartner, a researcher. These five entities have access to key banking data and support core banking services.
Similarly, Asia-Pacific banks' adoption of open banking is an opportunity for hackers. Open banking involves the sharing of sensitive customer data among a wide range of fintech companies and third-party service providers. This allows clients to move seamlessly from one service provider to another. But as more parties handle data, hackers have more ways to infiltrate and steal information.
"To prevent attacks, Asia-Pacific regulators will need a dogged determination to understand and manage risks," said Mr. DeLange. "This points to the need for collaboration, and cross-border information sharing to build cyber resilience across entities to prevent systemic risk."
"While we have not downgraded any Asia-Pacific bank as the result of a cyberattack, the hit to individual institutions could be crippling. This could be particularly true for banks that have not invested enough in their cybersecurity," said Mr. DeLange.
Please join S&P Global Ratings analysts and market practitioners from key financial institutions across the globe for our Asia-Pacific Financial Institutions Virtual Conference on Sept. 28-29, 2022, when they will discuss digitalization, inflation, cyber risk and other factors changing the shape of banking in Asia-Pacific. Please register for the event here:
https://event.on24.com/wcc/r/3914125/46DA6FFF50F6A0F5E1518F2DF92050F0/4073796?partnerref=MR
This report does not constitute a rating action.
AUSTRALIA
S&P Global Ratings Australia Pty Ltd holds Australian financial services license number 337565 under the Corporations Act 2001. S&P Global Ratings' credit ratings and related research are not intended for and must not be distributed to any person in Australia other than a wholesale client (as defined in Chapter 7 of the Corporations Act).
The report is available to subscribers of RatingsDirect at www.capitaliq.com. If you are not a RatingsDirect subscriber, you may purchase a copy of the report by calling (1) 212-438-7280 or sending an e-mail to research_request@spglobal.com. Ratings information can also be found on S&P Global Ratings' public website by using the Ratings search box located in the left column at www.standardandpoors.com. Members of the media may request a copy of this report by contacting the media representative provided.
| Primary Credit Analysts: | Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com |
| Gavin J Gunning, Melbourne + 61 3 9631 2092; gavin.gunning@spglobal.com | |
| Media Contact: | Richard J Noonan, Melbourne + 61 3 9631 2152; richard.noonan@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.