JOHANNESBURG - Moody’s Investors Service says in a new report that global retail and commercial banks are at increasing risk of cyberattacks as their operations become more digitized, which can impact credit standing through financial losses, erosion of brand value, and regulatory consequences.
“Cyberthreats exist regardless of the bank’s size or location. Smaller banks in developing markets often have fewer resources for cyber defense and internal controls, making them an easy target for financial theft,” says Sophia Lee, A Moody’s Vice President and Senior Credit Officer. “In contrast, larger banks in advanced and wealthy markets have more resources but are at greater risk because of more widespread digitalization and the high value of the data they house,” adds Lee.
Banks are highly vulnerable to cyberattacks, with some differences between developed and developing markets. Cyberattacks often target weak links in payment networks or in banks' data platforms and vendors. For example, financial thefts at banks in developing markets have exploited their weak internal controls around systems such as the SWIFT1 network. Smaller banks have fewer resources for cyber defense, often have weaker internal controls and may operate in jurisdictions with few or no cybersecurity laws or regulations. Larger banks in advanced and wealthy markets are at greater risk because of more widespread digitalization and the high value of the data they house.
Impacts range from direct financial losses to franchise erosion and even systemic shock. Financial losses commonly occur via theft and fraud, and they generally affect banks through one-off reductions in profit and potentially capitalization. More lasting franchise erosion, with indeterminate losses, can result from large data breaches or business disruption. The most common methods to attack banks' technology are via a distributed denial of service (DDoS) attack on servers and via malware infections. A successful attack on a large, highly interconnected bank could pose systemwide risk.
Improving cyber governance and regulatory scrutiny help mitigate cyber risk. Banks' cyberattack prevention measures focus on infrastructure security and enterprise wide cybersecurity policy and its enforcement. Regulatory requirements will increase as policymakers become more attuned to the dire consequences that cyberattacks can pose to financial stability. We expect regulators to play an instrumental role in introducing global cyber standards and promoting contingency planning within the industry.
Credit implications of cyber risk depend on the type and severity of successful attacks. Compared with cyber theft or fraud, major data breaches and denials of service are bigger and more intractable threats. The credit costs are not immediately quantifiable, but will occur gradually through weaker growth, loss of customers and greater funding costs. The rising threat of cyberattacks will lead to higher operating, legal and regulatory costs for all banks, regardless of whether particular threats materialize.