Cyber-attacks against financial institutions are an increasingly significant risk, says Fitch Ratings. The global rating agency said that cyber risk is a growing threat that can adversely affect credit ratings as attacks can compromise customer data and disrupt websites, with detrimental financial or operational consequences for individual issuers and financial systems.
Related reputational damage may weaken business and access to funding and capital markets. In one of the latest reported attacks, payday lender Wonga said earlier this month that up to 270,000 customers in the UK and Poland may have been affected by a data breach.
The agency said that it believes that institutions with substantial consumer lending businesses and deposit franchises are most at risk of financially motivated attacks due to the scope for theft from customer accounts and the large volume of personal data they hold.
However, larger institutions typically have stronger risk controls and regulatory oversight, mitigating some of the risks. Institutions that provide trade execution, clearing and settlement services are more vulnerable to disruptively motivated attacks, due to their interconnectivity with the financial system. Regulators have been increasingly vocal on cybersecurity and have urged cyber-attack stress testing.
The chair of the U.S. Securities and Exchange Commission stated in 2016 that cybersecurity is the biggest risk to the U.S. financial system. Under the EU's General Data Protection Regulation, which takes effect in May 2018, banks face potentially large fines - up to 4 per cent of their global turnover - for security breaches of personal data. All organi
sations that use data from EU citizens must comply, regardless of their domicile. Fitch said that industry collaboration that has been in place for years will continue to be beneficial. Organisations such as the Financial Services Sector Coordinating Council and Financial Services Information Sharing and Analysis Center promote information sharing and security coordination.
Furthermore, certain regulatory bodies are taking the view that cyber risk management should be internationally coordinated, as evidenced by committees and working groups such as The International Organization of Securities Commission's Committee on Payments and Market Infrastructures and G-7 Cyber Risk Expert Group. According to the European Central Bank, the average lag until a breach is detected was 146 days in 2016,
down from 205 days in 2014. As information is shared across firms, cyber risk detection and response plans could improve, but coordination does not ensure that risks can be fully contained.