S&P Global Ratings believes GCC banks’ exposure to electronic risks is manageable, assuming they continue to invest in cyber security and proactively manage risk, taking into consideration the evolving nature of threats.
It noted that GCC banks have reported only a handful of digital breaches and cyberattacks over the past decade.
GCC banks laid the foundation for success over several years by investing in infrastructure and systems, including equipment and software, to minimize their exposure to cyber risk, while also benefiting from supportive regulatory frameworks and cyber risk requirements.
There have been no major interruptions to the operations of banks in GCC countries. For example, mortgage lending in Saudi continued to expand at double-digit rates despite the digital shift. While some might have gone unreported, it is likely these were minor incidents given the absence of significant losses in financial reports and the banks’ relatively low operational risk capital charges.
S&P’s view of manageable cyber risk for GCC banks is supported by data from cyber security specialist Guidewire. It estimates that the region’s top 19 banks (for which data was available) would suffer an average 7.5% fall in net income and a 0.6% decline in equity, based on figures from the end of 2021, under a high-severity cyber incident; at the same time, the banks’ average operational risk capital charge was 3.6% of total equity.
S&P believes the data suggests that GCC banks appear to have sufficient operational risk capital to cover losses related to cyber risk. S&P notes that Guidewire doesn’t incorporate the possible impact of a cyber incident on a bank’s business position, associated revenue loss potential due to reputation damage, or cyber ransom.
How Cyber Risks affect analysis on banks
Cyberattacks have the potential to harm banks’ credit profiles through reputation damage as well as monetary loss. In the event of a large-scale attack on a systemic bank or several large institutions, we could foresee governments taking measures to stabilize the sector. In our analysis of banks’ creditworthiness, we consider the impact of cyber risks on the banking system as well as on individual banks.
S&P’s systemwide banking sector analysis captures cyber risks in a given country, when, for example, an entire banking industry suffered from a series of repeated, serious breaches of security or regulators appear to be more reactive than proactive in forcing financial institutions to strengthen their cyber security frameworks.
Local regulatory frameworks and requirements centered on cyber security
This includes the Saudi Central Bank’s cyber security framework, issued in 2017, which defined requirements around governance, risk management, compliance, operations, technology, and the use of third-party cyber security services by regulated entities. Those rules were supplemented, in 2022, with a document on cyber threat intelligence principles, which addressed the production and dissemination of intelligence aimed at identifying and minimizing cyber threats. The United Arab Emirates (UAE) Central Bank established, in late 2021, a Networking and Cyber Security Operations Centre to better protect the local financial system against cyberattacks. The central bank has also identified and worked to improve key pillars of effective cyber resilience for the banking system and its own infrastructure.
In extreme scenarios, cyber risk could have negative implications on liquidity through a sudden outflow of funds, leading to liquidity pressure. Cyber risks evolve rapidly and require continued efforts if banks are to remain protected, and no system can fully protect against unexpected-event risks.
Data breaches are among the biggest risks
Cyber risks range from a temporary interruption of services to the complete shutdown of IT systems due to data destruction and data theft linked to cyber ransoms. The growth of ransomware linked to data theft, coupled with the significant amount of sensitive information handled by banks, suggest that this is a major risk for the GCC’s lenders, particularly compared to other dangers such as business interruption. Ransomware-related attacks leading to data leaks increased by 82% in 2021 when there were 2,686 attacks, up from 1,474 over 2020, according to the “2022 Global Threat Report” from Crowdstrike, a cybersecurity technology company.