S&P's Cybersecurity Warning: Late to the GameRating Agency Threatens to Downgrade Banks Over Security Shortcomings
Standard and Poor's has warned that it may downgrade the credit ratings of banks that have poor cybersecurity, but it has not yet done so.
In a report issued this week, the rating agency says it could issue a downgrade before a cyberattack if a bank looked ill-prepared, or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages.
"We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades," the S&P analysts, led by Stuart Plesser, say in the report. "Given banks' retail presence, the value of the data banks hold and their function as key nodes in the global financial system - including being a conduit of currency - we view banks as natural targets facing a high threat of cyber-risk."
A Belated Step
By any measure, S&P's warning to the financial services industry about the threats they face from online attackers is belated. Indeed, it comes three years after financial services firms began suffering significant disruptions to their websites from a wave of DDoS attacks, nearly two years after the Target breach that resulted in the compromise of 40 million payment card accounts and related fraud , and one year after JPMorgan Chase suffered a breach that compromised information on 83 million households and small businesses.
Financial services security expert Avivah Litan, an analyst for the consultancy Gartner, says it's no surprise that S&P is behind the curve on cybersecurity. "After the last financial crisis, nothing surprises me about the credit rating agencies. They always seem to be a couple of years too late in assessing risks."
S&P's report says that to date, it's seen no attacks against banks that have "caused significant reputational or monetary damages," and hence has issued no downgrades, thus suggesting that its cybersecurity-related warnings have not yet been needed.
But Litan cautions that the S&P's inference may be incorrect. "I agree that there haven't been any attacks that caused significant reputational damage, but I am very skeptical that they know enough to say there has been no significant monetary damage. They wouldn't know - it's not like the banks would necessarily tell them about it."
S&P's Cybersecurity Questions
Indeed, the basis of S&P's cybersecurity analysis appears to be a reliance on public sources of information, as well as banks self-reporting on aspects of their information security preparedness and response.
For example, S&P says that it has now begun querying banks using a list of 16 questions to gauge their cybersecurity readiness. Those questions include:
- How long has it typically taken to detect a cyberattack?
- What containment procedures are in place if the bank is breached?
- How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
- What's the internal phishing success rate?
- What kind of expertise about cyberattacks exists on the board of directors?
- How much does the bank spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last?
Given the results of a credit rating downgrade - which can lead to increased funding costs, loss of access to some types of funding, as well as a decreased ability to extend credit to businesses or households - banks would have an incentive to portray their information security practices in a good light, especially to S&P.
Cybersecurity Investments Increase
With attacks continuing to increase in frequency and severity, Litan says that banks have been responding, and well before S&P's warnings came along (see Gartner's Litan: Top New Threats to Banks). "I do see the average investment and focus on infosec in banking increasing, partly because of regulator pressure. In some cases, mainly among the largest banks, investments are commensurate with the risk, however technology investments must be done carefully and methodically."
She cautions that financial services firms must do more than simply budget for information security. "Banks must balance technology investments across protection, detection and response. And most importantly, they have to align their organization and culture around security awareness and preparedness to make the most out of their investments," she says.
Cyber-Insurance Could See Boost
One way for a bank to hedge its bets against the losses it might suffer from a catastrophic data breach is to take out cyber-insurance. But while S&P says it is querying banks as to whether they have a cyber-insurance policy, "we would not look favorably on a bank that solely relied on cyber-insurance as its protection for a cyber attack," because such policies to date have notable exceptions. "Insurers are offering only a limited amount of insurance with gaps of exclusions, as insurers are acting cautiously given the difficulty to model cyber losses."
Litan, however, says that greater emphasis on cybersecurity by S&P and others could help drive cyber-insurance investments. "The problem is there isn't a set of well-defined metrics to identify and quantify the cost of risks," she says. "More interest in cyber-insurance and more scrutiny by the ratings agencies, however belated it is, will help sharpen those metrics over time."