Key Takeaways
- Cyber risk is a growing threat to Australian banks.
- Risk at a system level remains low, notwithstanding the interconnectedness and concentration of the Australian banking industry.
- A potential data breach is the biggest cyber risk for Australian banks, with the regional banks most exposed.
Cyber risk is a growing threat to Australian banks. Although risks at a system level remain low, a large-scale attack could significantly damage the country's banking system, and lenders with weaker cyber and nonfinancial risk governance are the most vulnerable. To date, Australian banks have not suffered a cyber incident that has led to a rating action. But given the evolving nature of cyber risk, S&P Global Ratings believes banks could face a major incident, such as a data breach.
The Rise Of The Cyber Attack
Attacks are on the increase in Australia and globally. In the year to June 30, 2021, the Australian Cyber Security Centre (ACSC) received over 67,500 reports of cybercrime, up nearly 13% from the prior year.
In late September 2022, Singtel Optus Pty Ltd. (Optus), an Australia-based telecommunications operator fell victim to a large-scale data breach attack. The company estimates the breach affected up to 9.8 million of its current and former accounts. The cause and scale of the breach are under investigation. The attack raises governance concerns regarding Optus' ability to manage its risks, particularly the control of its IT systems and robustness of its cybersecurity defenses (see "Optus Data Breach Could Squeeze Market Share And Margins," Sept. 29, 2022).
Banks are attractive targets. A successful attack can yield access to payment infrastructure as well as a wide range of personal information and data on companies and individuals, which may lead to substantial losses.
Financial institutions were the most frequently attacked organizations cumulatively over a five-year period to 2020 (according to cyber security specialist Guidewire Software Inc.; see also "Cyber Risk In A New Era: The Effect On Bank Ratings," May 25, 2021), making up around 26% of attacks.
Noteworthy Cyber Attacks On Australian And New Zealand Banks In The Past Four Years
- ANZ Bank New Zealand--distributed denial-of-service attack, September 2021.
- Data breach involving a legacy file-sharing service run by Accellion--noteworthy users: Reserve Bank Of New Zealand and ASIC, January 2021.
- Network and website disruptions: Outage at Akamai, a U.S.-based global content delivery network, which affected three of the four Australian major banks, June 2021.
- Solarwinds, Microsoft Exchange, and log4j incidents--which also affected other banks and organizations globally, various dates.
Source: Media reports, Guidewire
Cyber Attacks Could Rattle Australia's Financial System
Cyber risks pose a threat to the stability of the Australian financial system, which is heavily interconnected. The four major banks-- Commonwealth Bank of Australia, National Australia Bank Ltd., Westpac Banking Corp., and Australia and New Zealand Banking Group Ltd.--dominate with about 76% of banking system assets.
Many banks participate in direct payments and a successful attack on even one lender could affect the national system. The potential risks will rise as smaller banks gain access.
An attack on a third-party service provider could also cripple banking operations. Many smaller banks use the same content delivery networks (e.g., Akamai, which saw a major outage in 2021), cloud-based service providers (such as AWS), or providers of software as a service for core banking systems (e.g., Temenos or Data Action, which is especially relevant for smaller and regional banks).
Authorities Are Taking Action
Regulators and other authorities have supported the resilience of individual banks and the overall system. In July 2019, the Australian Prudential Regulation Authority (APRA) issued an Information Security Prudential Standard to help the industry prepare and build out cyber risk management frameworks.
APRA has also strengthened its scrutiny of cyber risks. The regulator issued notices in 2021 advising all banks to start preparing for Information Security tripartite reviews. The review required the board of a bank to engage third-party independent auditors to undertake a compliance review with the results reported to the bank's board and APRA.
APRA has flagged that banks must strengthen their ability to oversee cyber resilience. This is according to an independent assessment contained in APRA's November 2021 publication of the outcome of two pilot initiatives covering its technology resilience data collection and compliance with its Information Security Prudential Standard. APRA encouraged boards to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues. APRA also suggested that in many cases there was little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics. It also states that some boards are not receiving information about the effectiveness of testing of information security controls.
All businesses in Australia, including banks, are required to notify the government-run ACSC of any cyber incident that has a critical or relevant impact. ACSC, which is charged with developing solutions to cyber security threats, monitors cyber threats globally and alerts Australian businesses on emerging risks.
Nonbank financial institutions are not as closely regulated and may be lagging their regulated bank peers in developing cyber defenses. However, we have observed many banks and nonbanks reference cyber risk against the NIST (National Institute of Standards and Technology at the U.S. Department of Commerce) framework, which we view as a sound approach to cyber risk management.
Industry Collaboration Is A Boon
The ongoing gradual increase in formal collaboration within the Australian banking industry should help ease systemwide cyber risks, in our view.
In March 2019, the Australian Council of Financial Regulators (APRA, the Reserve Bank of Australia, the Australian Securities and Investment Commission, and the Federal Treasury) established a cyber security working group with the aim of establishing a framework to improve cyber resilience in the Australian financial services industry.
As part of its prudential standards, APRA requested banks to share information on cyber events. This helps the regulator surveil the threat landscape and provides a feedback loop to banks and industry.
The Australian Department of Home Affairs also encourages all critical infrastructure asset owners (of which banks are one) to voluntarily report cyber security incidents to ACSC, even if the threshold for mandatory reporting is not met, again for the benefit of the whole.
We have also observed that where industry participation in the past occurred on an ad hoc basis it has been formalized in recent years. For example, the chief information security officers of banks and industry bodies now regularly meet to discuss cyber risk issues.
Overall Cyber Risk Is Low
In our view, the overall level of cyber risk for the Australian banking system is low. This is because of early steps taken to strengthen cyber risk management, strong industry collaboration, and the strong capitalization of the banking system.
Using a tail-value-at-risk calculation Guidewire measures the average loss for the 40 most severe simulations (or 0.4% of the most severe loss scenarios) and assesses that the 20 Australian banks we rate would suffer a weighted average tail loss of 0.69% of their equity following a cyber attack. In comparison, the average regulatory operational risk capital charge for the banking system was 7% of total equity and should therefore be more than sufficient to cover losses from a cyber event. However, this assessment does not incorporate possible business position effects, associated revenue loss potential due to reputational damage, or cyber ransom.
The chart below shows losses for Australian banks in the Guidewire analysis for different scenarios and confidence levels. We averaged the losses for the 20 Australian banks for different confidence levels and plotted the loss levels against these tail quantiles. For example, in less than 0.1% of the scenarios was the average loss less than 1% of common equity.
Chart 1
Cyber-Skill Shortages Heighten Risks Locally And Globally
Globally, the cyber-skill workforce gap is about 2.7 million people, driven by a rise in cyber incidents and new cyber security and data privacy laws that are forcing organizations to protect their data more closely (according to (ISC)2 cybersecurity workforce study). In addition, banks are competing with an information technology sector that is also experiencing an increasing demand for these skills.
In Australia the pandemic has exacerbated the problem as skilled immigration from overseas came to a standstill. In our discussions with banks, we noted that banks that are willing to pay can attract resources--this is particularly the case for larger banks with deeper pockets. However smaller banks find it difficult to retain and attract suitable staff.
Immigration flows returning in 2023 should address this risk in part, in our view. Furthermore, moves by tertiary institutions to provide more relevant training may also lead to improvements, given the demand for cyber related skills.
Data Breaches Are A Key Risk
The growth of ransomware linked to data theft, coupled with the significant amount of sensitive information that banks handle, suggests that data breaches are a significant risk for Australian banks, particularly compared to other dangers such as business interruptions. Worldwide, ransomware-related attacks leading to data leaks increased by 82% year on year in 2021, to 2,686 attacks (source: "2022 Global Threat Report" from Crowdstrike, a cybersecurity technology company.).
The chart below shows a percentage breakdown of the components of the tail value at risk loss (which is the average of the worst 40 simulations).
Chart 2
The size of banks in terms of customer base and revenue seems key to gauging susceptibility to a data breach event. For banks with significant customer sets and relative lower revenue numbers the risk of a data breach is much higher. Other factors that may also play a role include the number of unique IP addresses a company has, its volume of network traffic, and the general popularity of its website.
Guidewire also lists these banks (please see chart below, mainly Australian regional banks with relative larger customer sets) as outliers in terms of total losses--mainly from a data breach event.
Chart 3
Cyber risk is an evolving risk. The frequency and sophistication of attacks are on the increase and the banking industry as a collective faces the challenge of combining efforts to manage the risk. Failing to do so could have systemic implications.
Related Research
- Asia-Pacific Banks' Digital Opening Raises Cyber Risks, Sept. 27, 2022
- Gulf Banks' Strong Capitalization Supports Resilience To Cyber Risk, May 16, 2022
- Cyber Risk In A New Era: The Effect On Bank Rating, May 25, 2021
This report does not constitute a rating action.
S&P Global Ratings Australia Pty Ltd holds Australian financial services license number 337565 under the Corporations Act 2001. S&P Global Ratings' credit ratings and related research are not intended for and must not be distributed to any person in Australia other than a wholesale client (as defined in Chapter 7 of the Corporations Act).
Primary Credit Analyst: | Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com |
Secondary Contacts: | Sharad Jain, Melbourne + 61 3 9631 2077; sharad.jain@spglobal.com |
Lisa Barrett, Melbourne + 61 3 9631 2081; lisa.barrett@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.