Key Takeaways
- Financial market infrastructure (FMI) companies' position at the heart of national and global financial systems underpins their franchises and cashflow generation, while also supporting players' strong ratings.
- We believe that operational resilience--the capacity to avoid and respond to operational disruption--is essential to protecting FMIs' robust and deeply embedded franchises.
- Cyber risk is a prominent hazard to global institutions like FMIs, but we believe that they are well equipped to deal with the rising threat.
- Despite a solid track record, failures in operational resilience, whether linked to cyber or other operational events, remain a central risk factor in our ratings and could precipitate negative rating actions.
Global financial market infrastructure (FMI) companies' strong ratings reflect their robust strategic positioning, high margins and cashflow generation, and track record of strong risk management. In their position at the heart of national and global financial markets, their smooth operation is critical to global financial system stability.
Weak operational resilience--that is, institutions' ability to prevent, respond to, recover, and adapt to disruption--could undermine FMIs' smooth functioning and dent stakeholders' trust in them. Under extreme circumstances, their franchises and therefore their ratings might also become more vulnerable. We note, for example, that persistent events have affected ratings in the recent past (see ASX Ltd. 'AA-/A-1+' Ratings Affirmed Despite Governance Weaknesses; Outlook Stable, published April 6, 2023). To this end, we believe that cyber and other operational risks can test FMIs' resilience, and so are among the most significant risks that the industry faces.
Cyber-attacks are becoming ever more frequent and complex. With that, they pose an increasingly high-profile concern across corporate sectors. FMIs are no exception to this, though we believe that cyber risk should be viewed in the broader context of their operational resilience. FMIs' capacity to monitor, maintain, and resume their services, regardless of the source of disruption, is an essential competency and one that their regulators and customers monitor closely. In fact, among the many potential operational risk events--of which cyber-attacks are just one--service outages are by far the most prevalent risk. While our strong ratings on global FMIs acknowledge their solid foundations and track record of operational resilience, a material weakening in the effectiveness of their risk management--whether from long-term underinvestment or serious and sustained operational risk and cyber events--could undermine FMI ratings.
Defining Operational Resilience For FMIs
We define operational resilience as a company's ability to absorb and adapt to shocks while maintaining essential services, no matter the cause of disruption. This could include man-made threats such as cyber-attacks or IT system and third-party supplier failure, as well as natural hazards such as fire, flood, severe weather, and pandemics. Building resilience to disruption is a holistic discipline that spans FMIs' complex and sprawling business structures. It encompasses their governance, risk management, continuity planning, and business relationships (with vendors and clients; see chart 1 below). At its core, we acknowledge that while firms must try to avoid disruption, events will happen, and firms must be able to respond swiftly to limit the consequences and recover effectively.
Chart 1
FMIs run essential market infrastructure that demands their resilience to operational disruption. They also deliver a host of data and analytics solutions that are essential to their clients' business needs. Furthermore, the industry's delivery of new products and services, adoption of new technologies, and habit of acquisitive growth mean that most FMIs are in a perpetual cycle of operational change. In this way, operational disruption could pose systemic consequences for FMIs.
We see operational resilience as an essential discipline for FMIs. It enables them to serve their customers through volatile market conditions, adapt to evolution in the markets they serve, and meet growing regulatory demands. Delivering operational resilience is not straightforward for the industry, though. If we look across a range of essential disciplines, as outlined in chart 1 above, the dynamic and complex nature of FMIs means that they face a significant challenge to constantly monitor and manage their resilience.
Cyber Risk Management Is An Important Discipline
We view cyber risk as a cornerstone of FMIs' operational resilience. Managing cyber risk and investing in cyber defence are therefore essential. The cyber threat landscape continues to evolve rapidly as technological innovation and global geo-political volatility persist and financial institutions, like FMIs, are prominent targets. Indeed, the profitability of the industry, the vast amounts and sensitivity of customer information and data they process, the systemic implications of their failure, and their international prominence make them a clear target for a range of malicious actors. Data from Guidewire suggests that the motivation to target FMIs is higher than for typical financial institutions and corporates given their prominence and size (see chart 2). In addition, FMIs are among the most difficult institutions to defend given their complex networks and extensive digital footprints. They are also likely to be targeted by sophisticated state actors whose motives are often political rather than financial. The sum of these risks leaves their overall Guidewire scoring in line with that of the world's largest banks (see chart 3).
Chart 2
Chart 3
This creates a threat environment that requires a strong response from FMIs as they confront diverse risks. Like other corporates, FMIs face standard cyber infiltration and disruption techniques like spear/phishing, or DDoS attacks and ransomware across their technological infrastructure. More unique are FMIs' trading systems, which they often run as part of closed systems connected by private lines, where access by malicious actors is incredibly difficult. That said, the ancillary services that support trading services, like regulatory announcement platforms, can operate outside of the closed trading infrastructure, and their disruption affects the operability of a market even as the market technology itself remains resilient. Many FMIs we rate must confront all these risks as they run exchanges, post trade businesses, and data and analytics feeds.
We generally view the response of rated FMIs to these diverse challenges as effective. Investment in protection and surveillance is high; a cadence of testing and learning is common practice; technological and cyber hygiene is embedded in firms; and overarching governance regimes are mature. Between themselves, firms cooperate closely on cyber risk insights, liaise with intelligence-sharing networks, and are subject to attentive regulatory scrutiny. Nonetheless, the industry has not been immune to attacks, though no high-profile event has occurred among our rated peer set to date. Most prominently, NZX, New Zealand's main cash equities, derivatives, and commodities trading platform, was the victim of a distributed denial of service attack in August 2020 that led to a four-day outage for its main exchange.
Chart 4
Timeline Of The NZX Attack
On Aug. 25, 2020, NZX's website, including its market disclosure platform, was subjected to a DDoS attack. The site and its disclosure portal crashed under the load of the traffic, meaning the exchange itself, which remained functional, was now operating without fair and efficient information. NZX was forced to halt trading for four days as it scrabbled to find a solution to the issue, which was unforthcoming until the weekend of Aug. 29/30, after which the market re-opened on Aug. 31. A December 2020 review later found that while the intensity of the attack itself was unprecedented in the New Zealand context, a range of failings at NZX had allowed the attack to occur and then persist. The review found that NZX's governance of risk and cyber risk was insufficient; it had failed to understand its vulnerabilities; did not invest in protection at a level sufficient with its role as critical financial infrastructure; did not monitor its cyber resilience and technological estate; lacked a comprehensive crisis management framework; and did not have the tools and personnel to develop and maintain its situational awareness.
Though exceptional, we see NZX as a cautionary tale for the industry. FMIs are an important target for sophisticated actors, and failure to prioritize cyber resilience in a difficult and evolving risk environment can lead to major events. Cyber risk can acutely test the strategic and operational foundations of FMIs in the medium term, and, where weak governance is exposed, could lead to rating actions in the short term. Indeed, since NZX, the ION Cleared Derivatives attack in February 2023 further highlighted the deep industry disruption that can occur if third-party services are interrupted or compromised. Similarly, the six-hour outage of the Bank of England's CHAPS real-time gross settlement system on August 14, the first major outage since 2014, left U.K. banks unable to make large payments between them. This highlights the generally good reliability of financial infrastructure, but also the scale of disruption to domestic and global markets when it fails. It's this disruption that can undermine the trust placed in FMIs and affect their ratings.
Operational Risk Events Are Common For The Industry
While cyber risk events can be acute, if infrequent, tests of the FMI industry's foundations, its history of operational risk events and failures is far more chronic (see chart 5). Looking back to 2010, our sample of outages totals around 30, with the length of system downtime ranging from an hour to four days and affecting many of the leading institutions in this global sector. Most of the events have not directly affected the standing of the institutions where they occurred, though some have led to regulatory investigations, costly remediation and fines, and even the resignation of senior management.
Chart 5
In addition to the individual events themselves, we see a cadence of regular service outages as a pronounced medium-term threat to ratings in the industry. For example, ASX's steady pattern of operational failures between 2021 and 2023 led us to revise our view of the group's management and governance. And the downside scenario in our stable outlook now states that if these operational shortcomings dilute the group's franchise and earnings, we could lower our ratings. By contrast, while the settlement suspensions at Euroclear UK and Ireland after failures in the CREST system were notable in 2021 and 2022, we do not yet think they represent a meaningful trend for the Euroclear group. Outages have also risen at global clearing houses (CCPs) in the past 12 months as per the recent CPMI IOSCO disclosure--although CCPs have more flexibility in their settlement cycle than an exchange, so even if they are unable to return to service within their two-hour objective, the spillover effects on market stability are more limited.
Risk Events Have Yet To Spark Sustained Franchise Deterioration
Against a backdrop of rising cyber risk and a steady accumulation of operational risk events, we have yet to see difficulties in operational resilience affecting FMIs' well-rooted strategic positions. Indeed, NZX shows how hard it is to replace essential market infrastructure, even after acute failures--the exchange remains the dominant player in New Zealand. Even so, we continue to see operational resilience failings that bleed into strategic franchises as a meaningful risk to ratings. Of the 22 FMIs we rate, we consider 17 to have "strong" or "excellent" business risk profiles, with most of the remainder no lower than "satisfactory". These assessments tend to correlate with comfortable investment-grade ratings (even moderately leveraged players have 'A' grade ratings, and many are in the 'AA' grade). As such, any failings that weaken franchises or increase financial risk could materially alter ratings--most likely because of a sustained erosion in customer confidence and/or policymaker or regulatory intervention. When franchise deterioration is layered on top of adjustments to ratings that account for risk management and governance faults, which would likely precede a sustained erosion in confidence, operational resilience failings could lead to multiple notch downgrades.
Steepening Regulatory Scrutiny Has Shaped FMI Preparedness
Policymakers have helped to shape the industry's approach to operational resilience. The Bank for International Settlements' Committee on Payments and Market Infrastructures (CPMI) has provided a set of principles on building cyber resilience. This framework aligns with the industry standard expectation for a two-hour recovery time objective (RTO) in the event of an outage to a critical service, regardless of cause. In fact, in December 2022 the CPMI called out the lack of planning for a two-hour RTO in the event of a cyber-attack as a material risk to FMI resilience. It singled out a subset of FMIs as being notably deficient in this respect and encouraged local regulators to act to ensure appropriate RTO planning is in place. As this shows, while the CPMI lays out policy frameworks, it is up to local regulators to design and implement binding regulations. To this end, the Bank of England has extended its policy on operational resilience to central counterparties and central securities depositories, the Fed has laid out resilience expectations as part of its operational risk framework, and the European Central Bank has a clear cyber mandate for the industry.
FMIs are technology-centred businesses, and are evolving to incorporate tools, like cloud-hosted services, that will form the basis of the financial ecosystem over the long term. While these services can provide increased operational capacity, adaptability, and cyber security, they also create a critical reliance on third-party providers. To this end, green shoots of heightened regulation of unregulated third-party service providers are emerging. For example, DORA in the EU and parallel "critical third party" legislation in the U.K. should enhance regulatory oversight of providers--primarily cloud services though this will likely widen in time to incorporate a host of service industries. This should support FMIs' operational resilience but will continue to increase the burden of regulation.
Operational Resilience Will Remain Crucial
We expect that the increasing regulatory scrutiny will support FMIs' existing strategic focus on and investment in operational resilience. Indeed, the industry's attention has notably shifted to resilient infrastructure in recent years after a long-running emphasis on and heavy investment in ultra-low latency capacity. To this end, given that the industry is highly cash-generative most players have the financial resources to build their resilience if they can deploy resources effectively. We believe that rated FMIs are already reaping the benefits of efforts to reinforce their operational resilience. We see this, for example, in their capacity to handle the huge surges in trading volumes in 2020 and 2022, the seemingly reduced rate and severity of operational outages in recent years, and a solid track record on cyber risk. Nevertheless, as the technological environment and FMIs' own strategies continue to evolve, operational resilience will remain crucial.
Related Research
- Australian Mutual Lenders: Path Of Least Resistance May Lead To Higher Cyber Risk, Aug. 29, 2023
- Cyber Risk Insights: European Banks' IT Complexity Amplifies Risk, March 23, 2023
- Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
- Key Rating Metrics For Global Financial Market Infrastructure Companies (July 2023), July 6, 2023
- FMIs To Ride Out Economic Gloom Amid Financial Stability Risks, Says Report, Jan. 31, 2023
This report does not constitute a rating action.
Primary Credit Analyst: | William Edwards, London + 44 20 7176 3359; william.edwards@spglobal.com |
Secondary Contacts: | Giles Edwards, London + 44 20 7176 7014; giles.edwards@spglobal.com |
Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.