Cyber-attacks against financial institutions are an increasingly significant risk, Fitch Ratings says. Cyber risk is a growing threat that can adversely affect credit ratings as attacks can compromise customer data and disrupt websites, with detrimental financial or operational consequences for individual issuers and financial systems. Related reputational damage may weaken business and access to funding and capital markets.
In one of the latest reported attacks, payday lender Wonga said earlier this month that up to 270,000 customers in the UK and Poland may have been affected by a data breach, Fitch reported on its website.
“We believe that institutions with substantial consumer lending businesses and deposit franchises are most at risk of financially motivated attacks due to the scope for theft from customer accounts and the large volume of personal data they hold. However, larger institutions typically have stronger risk controls and regulatory oversight, mitigating some of the risks,” the ratings agency said.
Institutions that provide trade execution, clearing and settlement services are more vulnerable to disruptively motivated attacks, due to their interconnectivity with the financial system.
Regulators have been increasingly vocal on cyber security and have urged cyber-attack stress testing. The chair of the US Securities and Exchange Commission stated in 2016 that cyber security is the biggest risk to the US financial system. Under the EU’s General Data Protection Regulation, which takes effect in May 2018, banks face potentially large fines—up to 4% of their global turnover—for security breaches of personal data. All organizations that use data from EU citizens must comply, regardless of their domicile.
“We believe that industry collaboration that has been in place for years will continue to be beneficial. Organizations such as the Financial Services Sector Coordinating Council and Financial Services Information Sharing and Analysis Center promote information sharing and security coordination.”
Furthermore, certain regulatory bodies are taking the view that cyber risk management should be internationally coordinated, as evidenced by committees and working groups such as The International Organization of Securities Commission’s Committee on Payments and Market Infrastructures and G-7 Cyber Risk Expert Group.
According to the European Central Bank, the average lag until a breach is detected was 146 days in 2016, down from 205 days in 2014. As information is shared across firms, cyber risk detection and response plans could improve, but coordination does not ensure that risks can be fully contained.
Add new comment
Read our comment policy before posting your viewpoints