S&P warns European banks not on top of growing cyber risk
Major cyberattack could cost Europe’s banks 7% of equity value
Cyber risk remains a “pressing concern” for European banks that could affect their credit worthiness, warns S&P Global Ratings. It believes proper cyber resilience remains elusive in the sector.
In a new report, S&P says Europe’s banks using a combination of old and new technology systems are more vulnerable to cyberattack. “We consider that the complexity of many banks’ IT systems, and a shortage of cyber security expertise and investment has compounded risks faced by the European banking sector,” it says.
“A heightened threat of cyberattacks and the rapid digitalisation of financial services has left European banks increasingly exposed to cyber risks. Industry and regulators are responding, but S&P Global Ratings believes that consistent cyber resilience remains a distant goal for the sector,” the report says.
It warns that while cyber incidents have so far had little impact on the credit quality of rated banks, this could “quickly and dramatically change”.
To date, Malta’s Bank of Valletta is the only European bank to be downgraded following a cyberattack. “Cyber risk contributes to our wider credit risk analysis and reflects our belief that a lack cyber preparedness is often a characteristic of generally weaker risk governance,” S&P explains.
Using data from cybersecurity specialist Guidewire, S&P says a major cyberattack against a large bank could wipe enough from its equity value to be material to its credit quality. Modelling an unlikely but significant cyberattack affecting 94 European banks with revenues of more than $1bn, S&P found a lender could lose as much as 7% of equity value.
“That is a magnitude of loss that could prove material to the assessment of a bank’s credit quality,” it says. Median losses were more “manageable, though still significant” at 0.8% of equity, S&P says.
It says banks are inherently susceptible to the impact of cyber risk. They face the threat of direct financial loss from theft and indirect losses from ransom demands, reputational damage and the associated risk of withdrawals from concerned customers, as well as the potential for regulatory fines.
“Those dangers demand that a bank’s cyber preparedness be considered when assessing creditworthiness,” says S&P Global Ratings credit analyst Benjamin Heinrich.
The lack of a dedicated cyber risk framework, failure to delegate management responsibility for cyber risk management and the lack of an emergency plan in the event of a cyber breach all indicate poor levels of cyber preparedness, S&P says.