U.S. financial services credit ratings resilient to cyber security for now: Standard & Poor’s

Standard and Poor’s Rating Services has yet to downgrade a company’s rating because of damage resulting from a cyber attack, but the potential is there, suggests new commentary from the agency.

“Although cyber attacks can result in losses and, depending on the systemic nature and magnitude, possible market disruptions, such events so far have not resulted in negative rating actions,” notes the analysis posted Wednesday on the S&P website. “Overall, we found that these targets’ exposure to the events, although large, have not been outsize and were often contained due to their own financial wherewithal and to some extent insurance programs.”

Even so, “we view cyber security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future, although we cannot predict the timing,” the commentary states. Citing the frequent high-profile cyber attacks against a major corporation or government agency in the United States, S&P notes it is clear no entity is safe.

“It’s not difficult to envision scenarios in which criminal or state-sponsored cyber attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft or reputational risk,” notes the post. “The damage to reputation, brand or competitive position may likely only truly be known in the years ahead.”

With regard to S&P’s case studies involving financial services with major data breaches, although all targeted companies emerged intact following attacks, “we are increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand.”

There are many paths that hackers can take to breach company data and disrupt business operations, the post notes, citing the data interconnectivity that exists among banks, merchants, data owners and other sources, including vendors, distributors and suppliers.

Effects could certainly be felt beyond individual organizations. Pointing to state-sponsored cyber events that are often strategic and aimed at disrupting global industry competitive dynamics or obtaining intellectual property, the commentary notes such events could subsequently pose contagion risks among sectors.

“In an interconnected world, a major local cyber attack affecting an important linkage in the global economy is likely to have a worldwide and long-lasting impact. If such extreme events were to occur, companies’ individual risk-prevention measures would, in our opinion, become considerably less effective.” Beyond the tightest possible security measures for individual companies, S&P advises that “effective response plans may prove to be the best differentiator among financial services issuers.” [click image below to enlarge]

And although the rating agency is evaluating cyber risk in the context of management governance and enterprise risk management (ERM), disclosures to date have been limited, perhaps because of concern by individual companies that announcing cyber risk control capabilities will attract attacks.

While threat alone does not determine rating responses, S&P notes that its “credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity and capitalization regarding its ability to replenish capital post-event.”

Looking specifically at insurance, consumer information makes insurance companies a target, the post notes. That said, “cyber insurance currently lacks depth and breadth, although we expect premiums to more than double to US$10 billion in the next five to 10 years from US$2.5 billion now. This is a small sum considering the US$496.6 billion of total U.S. net premiums written in 2014.”

S&P categorizes both threat risk and credit risk for insurance as medium, although higher for health insurers. “In addition, the cyber insurance product presents the possibility of clash risk. Offsetting the risk is adequate/strong ERM programs and very strong capitalization,” the commentary adds.

Cyber security is one of many risks an organization faces within S&P’s evaluation of ERM. “As part of our ERM reviews, we are beginning to examine the independent assessment of cyber risk controls in the enterprise and establishment of tolerances and limits regarding cyber risk,” the post states.

“As cyber security becomes a more mature risk, we expect the financial services industry to improve risk controls and response plans. Specifically, we’re referring to the processes and tools a corporation uses to identify, measure, monitor and manage risk exposures within limits, and losses within tolerances,” it adds.

Using banks as an example, below are among the key questions S&P is asking management teams:

• How does the bank measure the exposure and report on cyber risk?

• How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?

• Does it have any third-party vendor oversight? If so, what kinds and how much?

• What is the internal phishing failure rate?

• How long has it typically taken to detect a cyber attack?

• What containment procedures are in place if the bank is breached?

• Are there any emergency planning test runs?

• What software or other techniques are used to monitor attacks?

• What kind of expertise about cyber attacks exists on the Board of Directors?

• How much does it spend on cyber security, and what resources does it devote?

S&P examines “risk-control processes, including risk identification, risk measurement and monitoring, and the execution/effectiveness of such controls,” the post notes. “Aspects that could favourably influence our view would include evidence and reports of back-testing and ‘what-if’ analysis of headline news. We would also regard play-books or action plans for breaches and evidence of follow-up on action plans
positively,” the commentary adds.

“We think there are opportunities for improvement in cyber risk controls. Early-warning systems based on key metrics, standards for cyber security, and the governance of cyber risk could evolve to a more mature state where limit enforcement and compliance could be measured with actions in place for observed breaches,” the commentary states.

With regard to insurance, S&P does not view cyber security insurance as a stand-alone product as a sufficient means of risk protection. Noting that cyber security insurance is particularly limited to liability coverage, “most insurers do not have the risk appetite to cover business-interruption claims (for revenue or margin losses) post cyber attack,” the post states.

“Because the learning curve is steep and actuarial data is lacking, insurers are only dipping their toes in the water for now. To protect their own balance sheets, they have low limits and various exclusions in place. Therefore, we do not view cyber-security insurance as a stand-alone product to be a sufficient means of risk protection,” the commentary adds.