Fitch Ratings-New York/London/Chicago-13 April 2021: Big banks are not automatically well equipped to combat the rapidly growing problem of cybercrimes, according to a new Fitch Ratings report. “Exploring Bank Cybersecurity Risk” outlines how cybersecurity issues can impact bank credit ratings.
Fitch collaborated on the report with SecurityScorecard, a leading cybersecurity risk assessment company, to gain insights into bank cyber risk management and their relative vulnerability to a cyber event.
Using SecurityScorecard’s cybersecurity scores, Fitch analyzed 484 banks across the world representing $111 trillion of aggregate assets or 70% of global banking assets. The analysis revealed that banks with higher credit ratings typically exhibited better cybersecurity scores than banks with lower credit ratings, while developed market banks scored higher with less variability vs. emerging market banks.
Perhaps the most surprising conclusion in Fitch’s sample analysis is that financial size, in terms of assets or operating income is not necessarily a good predictor of cyber health. “Larger banks are more likely to have complex and also legacy IT infrastructure compared to smaller banks, which could increase cybersecurity risk if not properly managed,” said Managing Director Christopher Wolfe.
Cybersecurity risk is a subset of the Risk Controls and Risk Appetite component of Fitch’s Bank Rating Criteria. A material cyber breach would represent an event risk which could have rating implications. While Fitch has not downgraded a bank solely in response to a cybersecurity event to date, cyber breaches have resulted in heightened rating sensitivities for banks, indicating that their ratings are at more risk of a downgrade as a result of the breach.
“Cybersecurity risk scores bring visibility into this opaque risk, and these insights can help spotlight vulnerabilities,” said Wolfe.