With the digitization of all industries and especially financial services accelerated by COVID-19, cyber is a growing factor in credit risk. Cyber is considered part of ESG (environmental, social, and governance) considerations; primarily within the governance aspect in terms of operational risk management, but also the social realm in terms of how communications are handled in the wake of an attack. However, as a key operational risk that can have material implications for an entity’s brand, reputation and wider business profile, cyber increasingly warrants a distinct focus in its own right.

Before the Buzzword

In terms of credit risk, ESG factors are those environmental, social, or governance risks or opportunities that impact a firm’s capacity and willingness to meet financial commitments. This could be through influence on revenue, operating requirements, earnings, cash flow, debt, or liquidity; it could be short-, medium- or long-term. For example, a failure to prevent money laundering prompted a downward revision of our outlook on Danske Bank in 2018 on concerns around its risk position. Conversely, in 2017 the City of Vancouver had its rating upgraded on improvements in financial management. Both are examples of the influence of governance factors on credit ratings.

ESG credit factors, including cyber-related credit factors, have been embedded in our credit analysis since long before the term ESG came into vogue; in fact, these factors have been part of our credit analysis since the beginning. For instance, we developed management and governance criteria a number of decades ago.

In recent years, investors have demanded more ESG consideration and disclosure from companies, which has enabled us to increase our transparency regarding how we consider and embed specific ESG credit factors. While we have not created distinct and separate ESG criteria, we do highlight it when we take a ratings action due to ESG credit factors, and this commentary highlights how our criteria already embeds such factors. For the two years ending July 31, 2018, ESG factors directly influenced the ratings of 147 global sovereigns, non-U.S. local and regional governments, insurers, and banks.

In our recent ESG analysis of large and small banks in the US and Canada, governance tended to be the major ESG factor affecting credit risk, including both how companies manage cyber risk proactively and how they handle cyber incidents after they occur. For example, we believe the 2019 Capital One breach increased its reputational risk as well as the risk of regulatory intervention or legal sanction. It also underscored the importance of cyber risk management for banking institutions.

Cyber: Pre-empting the Next Big Credit Risk

Cyber risk is more and more relevant to our credit ratings. Our analysts are increasingly probing for cyber preparedness and will dig deeper when needed (such as for financial institutions who handle vast amounts of customer data). Areas of inquiry may include:

    • Accountability structures: does the firm have a CISO and cyber expertise on the board
    • Budget for cyber investment
    • Overall IT spend, including upgrading of disparate and legacy systems and processes
    • Cyber risk appetite and oversight of third-party risk
    • Detection and monitoring methods and technologies
    • Specific strategies to fight phishing and malware
    • Incident response: desktop exercises, penetration testing
    • Cyber insurance
    • Benchmarking against peers, including a focus on relative levels of cyber maturity

How You Take a Punch Matters

It is inevitable that attacks will occur given the ever-evolving nature and increasing sophistication of cyber criminals. How firms handle the aftermath of a cyberattack can have a tangible impact on credit ratings. For financial services firms, poor management may damage customer trust and loyalty and therefore cause an outflow of funds. In addition, losses from fines could hurt profitability and capital.

For example, in 2019, Malta’s Bank of Valetta (BOV) was the victim of an attack on its international payments system. While our outlook on the bank was already negative, this attack increased our concerns regarding the robustness of BOV's operational risk management, an underlying factor which contributed to its ratings downgrade. Our concerns were linked to uncertainties around the bank’s ability to adequately manage the complexities of its operations and the potential impact of this event, including litigation and any mitigating actions on its profitability and capital.

On the other hand, in 2015, US health insurance company Anthem was upgraded despite a large data breach earlier in the year. Its proactive communication and policyholder redress programs allowed it to maintain both a very strong balance sheet and business profile despite the attack. The strength of these underlying factors ultimately drove the upgrade. Companies that handle cyber incidents well will better be able to protect profitability and reputation. Leadership, communication, and external transparency are key to limiting the damage.

Ultrafast Digitization is Uncharted Territory

Prior to the pandemic, cyber-attacks had been largely tail events with low frequency and medium severity. We have had less than ten rating actions in the last decade that have had cyber risk at their core, whether because of lost revenue or previously undetected governance deficiencies. This is in part due to our overall focus on governance across our ratings criteria frameworks which help to surface operational risk management deficiencies ahead of events, but also because of the relative lack of sizeable and systemic attacks to date.

However, the past is not an indicator of the future. The COVID-19 pandemic has accelerated digitization across all industries, and especially financial services. This has increased both the frequency and severity of cyber incidents, and with them, the potential for rapid deterioration in credit profiles. Over 2020, the rise of ransomware attacks has been somewhat overshadowed by the impacts from the unprecedented global economic shutdowns. That said, we expect the upward trend in such attacks will continue long after this pandemic is over. Attacks that inhibit or disrupt operations have the potential for greater credit implications than data breaches as they can involve a balance sheet but also more long-lasting business profile impacts.

Cyber risk now spans across all ESG considerations; it is directly related to financial risk as well as business position. As we have seen in 2020, it may spike following environmental or natural disasters or pandemics. Successful attacks may impact capital, cash flow, earnings, and liquidity, but even more importantly, competitive position and customer confidence. Conversely, robust cyber risk management is a competitive advantage and will become a differentiating factor in a more digitally engaged world.

We therefore expect cyber risk engagement to increase across all rating categories and companies. As with any credit risk factor, its overall importance will depend on the industry sector and the issuer-specific dynamics, risk exposures and capacity to absorb the impact of an attack. But the increasing attention of cyber risk in credit analysis is at a point of no return.

The rise of ESG disclosures and assessments is a response to investor demand. We are expecting the same with cyber risk management disclosures, especially in financial services. Given their confidence-sensitive nature, prices of financial stocks drop more following a breach than other industries, and investors are asking about data management on bank earnings calls.

In the coming years, we will continue to do our part to ensure that cyber gets the attention it needs from a credit perspective. While the ability to predict a successful cyber-attack on a specific issuer is not without its challenges, continued and enhanced focus on cyber risk management should better position us and financial markets in this regard. A major cyber event that impacts the global financial system should not catch us all by surprise. We plan to be in a position to rapidly assess issuer response and associated potential credit impacts following such an event.

The Insight

With digitization accelerating across all industries, as well as an increase in remote working in the post COVID-19 era, cyber risk is growing in importance to credit ratings. It is becoming a distinct focus of both risk and relative opportunity. While cyber risk has been part of our integrated ESG considerations, its increasing importance and its span across E, S and G mean that the “C” will remain at the heart of ESG analytics.

November 2020

© 2020 FS-ISAC, Inc. All rights reserved.

Ransomware-Sidebar
Ransomware_Graphic_1200x627px (1)

With its attractive business model and multiple revenue streams, ransomware is a growing threat to financial services and their third party suppliers. While there are many steps you can take to prevent attacks, threat actors are evolving their tactics all the time. If attacked, will you pay the ransom?

View Report

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More