Key Takeaways
- Recent attacks on high-profile Australian organizations have highlighted the growing cyber threat.
- We expect cyberattacks to continue in Australia in 2023, prompting an increased focus on governance, regulation, and investment in cyber security.
- Credit ratings remain shielded, but this could change depending on the severity of future breaches.
Cyber risk is increasing globally. Attacks on Australia-based entities have spiked in recent months, and S&P Global Ratings expects such breaches to continue next year. The success of hackers in obtaining sensitive personal data will encourage further attempts despite a general refusal by targets to meet ransom demands.
Australian organizations will need to improve their systems and tighten their defenses. We anticipate that regulators will increase monitoring and reporting of cyber risks.
In Australia cyberattacks have so far not directly affected credit ratings. But the more they occur, the greater the chance of negative credit action.
A Costly National Threat
Cyberattacks can interrupt business and damage reputations, which we consider as potentially material credit risks. This is in addition to the direct costs involved in boosting cyber resilience and restoring information security. The risks and associated costs of cyberattacks are rising.
Cyber risk is now a daily threat. In 2021-2022, the Australian Cyber Security Centre (ACSC) received more than 76,000 cybercrime reports: approximately one report every seven minutes. The ACSC considers the instance of events to be under-reported but growing in severity.
Investments in risk awareness and data security are increasingly sophisticated in order to identify and prevent firewall breaches. These investments are, in turn, weighing on financial returns and operating efficiencies--although to date not to such an extent to affect ratings. Online identity verification has strengthened and negated the need to retain detailed customer data. Such initiatives reduce the potential for cyberattacks.
From a governance perspective, the preparedness of management teams in combatting a breach and seeking support remains a key focus. To the extent that their insurance cover allows it, entities can draw additional expert help from insurers' support networks.
Cyberattacks have spanned both the private and public sphere in Australia. Governments, companies, banks, insurers, police, and universities are among those entities affected. Here is a snapshot of recent attacks:
Corporate And Infrastructure
The main consequences of cyberattacks for corporates are business interruption and reputational/brand damage (see "Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing," Nov. 7, 2022). Financial consequences from ransom payments or regulatory fines are typically manageable from a credit perspective. While one-off costs are temporary, damage to brands and business from loss of trust and weakened performance could be ongoing.
Until recently, cyberattacks on corporate Australia have been largely low in profile and have not affected large numbers of people. But the landscape is changing, as shown in cases of telecommunications company Optus (a subsidiary of Singtel Optus Pty Ltd.) and Australia's largest health insurer Medibank Private Ltd. The underlying corporate sectors, telecommunications and healthcare, face a higher--and more sophisticated--threat because of the sensitive personal information they hold. Infrastructure businesses such as those in the energy sector can also be at higher risk of attack due to the essential nature of their services.
Optus (2022)
- Sector: telecommunications
- Type of attack: data breach
- Number of individuals affected: about 9.8 million current and former customers.
- Other relevant information: Singtel Optus Pty Ltd. has provisioned about $140 million for customer remediation activities. No ransom has been paid. The Australian federal government is investigating.
Woolworths Group Ltd./MyDeal (2022)
- Sector: retail
- Type of attack: data breach
- Number of individuals affected: About 2.2 million customers.
- Other relevant information: no information leaked.
Banking
In our view, Australian banks are attractive targets for cyberattacks. A successful attack can yield access to payment infrastructure as well as a wide range of personal information and data on companies and individuals. This may lead to substantial losses for those attacked.
We consider that cyber risks pose a threat to the stability of the heavily interconnected Australian financial system (see "Australia's Banks Are Slowly Tuning In To The Risks Of Cyber Attacks," Oct. 4, 2022).
However, cyber risk is unlikely to materially affect our credit ratings on Australian financial institutions. This is because of early steps taken by banks and the regulator to strengthen cyber risk management, strong industry collaboration, and the strong capitalization of the banking system.
To date the banking system has avoided crippling attacks but this may not last forever. Noteworthy cyber events during the past four years include:
Australia and New Zealand Banks
- Sector: banking
- ANZ Bank New Zealand, September 2021. Type of attack: distributed denial-of-service attack.
- Data breach involving a legacy file-sharing service run by California-based Accellion--noteworthy users: Reserve Bank Of New Zealand and Australian Securities & Investments Commission, January 2021.
- Network and website disruptions: outage at Akamai, a U.S.-based global content delivery network, which affected three of the four Australian major banks, June 2021.
There is a global shortage of people with cyber risk skills (about 2.7 million people according to the (ISC)2 Cybersecurity Workforce Study), and the Australian banking system is no exception. Worse, the banks are competing directly with technology companies for skilled workers.
In our view smaller banks may find it more difficult to attract and retain skilled talent compared with larger banks that have deeper pockets and are willing to pay for the necessary resources.
The size of banks in terms of customer base may also increase their susceptibility to a data breach. For banks with large relative customer sets (relative to revenue and capital) the risk of a data breach is much higher.
Other factors that may also play a role include the number of unique IP (internet protocol) addresses a company has, its volume of network traffic, and the general popularity of its website.
Sovereign And Public Enterprises
Governments and public entities, such as universities, often face similar cyber risks to the private sector. The consequences of incidents will however differ. Several rated entities across Australia have suffered data breaches in recent years, either through direct attacks on their own networks or via third-party vendors.
The costs of prevention and insurance are rising as public entities seek to stay a step ahead of cyber criminals. To date, we assess that the financial consequences have been small and manageable from a credit perspective.
In the past year alone, government-related targets have included the Australian Federal Police, the client management system of the National Disability Insurance Scheme, the payroll software provider to the government of South Australia, the University of Western Australia, and Deakin University. Less maliciously, there have also been privacy breaches caused by apparent human error, such as that which occurred at New South Wales government insurer iCare
In contrast to the private sector, we believe that governments face less reputational risk and potential for brand damage. It is much harder for residents to change their government than it is for consumers to change their bank or telecommunication provider.
Further, governments are generally not subject to the same regulatory penalties or civil litigation as the private sector. Governments also have much larger and more diversified balance sheets and nearly unfettered revenue-raising powers.
Similarly, despite the rising frequency of reported attacks on the Australian higher education sector, credit quality remains very strong. Retention rates are high, as most students stick with the same provider throughout their course of study.
The ratings on the Australian National University (AA+/Stable/A-1+) are supported by continued domestic and international student demand and strong financial outcomes. We do not see any signs of a shift in student preferences following a high-profile data breach that occurred in 2018.
The Australian National University (2018)
- Sector: higher education
- Type of attack: data breach
- Number of individuals affected: initial estimates put the figure at 200,000 staff and students. A later forensic analysis showed the attackers had access to data up to 19 years old but took much less than 19 years' worth of data.
- Other relevant information: a post-mortem incident report explained that the attack was unusually sophisticated but could not determine if the attackers were state-sponsored or linked to organized crime. The stolen data do not appear to have been sold or misused, leaving the motivations of the attacker unclear.
Insurance
Insurance companies are both prone to attack and can be a provider of some cover and access to support services for those entities being targeted. Policies providing cyber risk cover are typically capped in terms of payments and have a relatively low order of payouts.
Insurers have moderated their provision of cover. This reflects the complexity of risk assessment, and of assessing the strength and quality of controls embedded. The credit risk implications revolve around the retention of exposure by the insurer and the appropriate pricing for risks accepted.
Additional elements of cyber cover include business interruption, data loss and restoration, liability arising from failure to maintain confidentiality of data, network or data extortion and regulatory expenses.
No credit ratings have been affected, or rating components, due to the consequences of a cyberattack on Australia based insurers.
The hacking of Medibank sought to exploit the release of confidential customer health data. The attack resulted in temporary system outages, disrupting operations and customers' access to the website. As the systems were not encrypted by the attackers and Medibank maintained access to its data, the attack was not classified as ransomware.
Medibank Private Ltd. (2022)
- Sector: health insurance
- Type of attack: data breach
- Number of individuals affected: about 3.9 million customers.
- Other relevant information: some personal customer information has been leaked online to the dark web. The Australian government, including the Federal police, is investigating and suspects the attack to be the work of loosely affiliated cyber criminals.
Structured Finance
We believe that securitizations have a lower direct exposure to cyber events due to the special purpose entities (SPEs) in these structures. However, the potential for negative impact could be more significant given the limited resources available to securitizations, and the reliance of SPEs on third parties.
The servicer, in our view, has the greatest potential for payment disruptions due to a cyberattack. We consider these risks in our rating analysis by understanding the operational preparedness of servicers and other transaction parties in our operational reviews as well as structural mitigants that may be available in the event of disruptions.
No cyberattacks to date have affected payment flows in securitization in Australia. In Europe in 2021 we saw the first structured finance transaction reporting an operational disruption following a ransomware attack on the originator and servicer (see "Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions?" Sept. 8, 2021).
Ransom: To Pay Or Not To Pay?
Ransom demands will continue to generate challenges for entities under attack. A ransomware attack and the associated demand for payment may be small but it can nevertheless cause unwanted notoriety and reputational harm.
Debate continues as to whether organizations that have received ransom demands should pay the ransom. In the Optus and Medibank cases, ransom demands were made but neither company paid.
The ACSC advises against paying a ransom. Despite the Australian federal government's position, some cyber industry participants recommend paying a ransom in certain circumstances. The argument for paying a ransom is that for proponents of cyberattacks this is a "business" and that restoration of data upon payment of a ransom will complete the transaction.
ESG Factors: Management And Governance
S&P Global Ratings assesses cyber risk as part of our assessment of management and governance. The relevant environmental, social, and governance (ESG) sub factors are risk management, culture, and oversight.
For both management teams and boards, the question of how to assess and manage cyber risks will gain greater attention in 2023. In many instances this will involve further upgrade and tightening of existing systems and procedures. Costs will increase, including for the hire of skilled staff with requisite expert skills in cyber technology.
Analysis of significant cyberattack events will help to determine lessons learned and provide valuable input into plans and strategies. In the case of Medibank, the Australian Prudential Regulation Authority has contributed to the terms of an external review being undertaken by Medibank and is increasing its supervision of the company.
An Unrelenting Battle
Communication about cyber risk management will increase in 2023, partly in response to increased demands and expectations from investors, regulators and customers.
Key questions for many organizations will be what customer data are appropriate to request, how the data is to be received, whether it needs to be kept in a business context, and if so, for how long. We expect to see more in-depth reporting of cyber risk in organizations' annual reports.
The battle against cyberattackers will be unrelenting. Strong defenses are key.
Related Research
- Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing, Nov. 7, 2022
- Cyber Trends And Credit Risks, Oct. 25, 2022
- Australia's Banks Are Slowly Tuning In To The Risks Of Cyber Attacks, Oct. 4, 2022
- Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions? Sept. 8, 2021
Editor: Lex Hall
This report does not constitute a rating action.
S&P Global Ratings Australia Pty Ltd holds Australian financial services license number 337565 under the Corporations Act 2001. S&P Global Ratings' credit ratings and related research are not intended for and must not be distributed to any person in Australia other than a wholesale client (as defined in Chapter 7 of the Corporations Act).
Primary Credit Analysts: | Richard Timbs, Sydney + 61 2 9255 9824; richard.timbs@spglobal.com |
Craig A Bennett, Melbourne + 61 3 9631 2197; craig.bennett@spglobal.com | |
Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com | |
Anthony Walker, Melbourne + 61 3 9631 2019; anthony.walker@spglobal.com | |
Secondary Contacts: | Martin J Foo, Melbourne + 61 3 9631 2016; martin.foo@spglobal.com |
Narelle Coneybeare, Sydney + 61 2 9255 9838; narelle.coneybeare@spglobal.com | |
Sharad Jain, Melbourne + 61 3 9631 2077; sharad.jain@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.