The significance of cyber risk as a threat to global financial institutions is growing, but Gulf Cooperation Council (GCC) banks are actively prioritizing their defense against this danger. This is according to a new report from S&P Global.
In the past two years, no noteworthy cyber attacks or losses have been reported by GCC-based banks. While it is possible that some attacks may have gone unreported, the absence of significant losses in financial reports and the relatively low operational risk capital charges suggest that any incidents were likely minor in nature, the agency said.
Read more: Can GCC banks weather funding risks?
According to cyber security specialist Guidewire, there was a 34.3 percent likelihood that a specific bank would be targeted by a cyber attack as of the end of 2023. In 2022, banks and financial companies ranked as the sixth most targeted sector, with an average of 1,131 weekly attacks, as reported by cyber intelligence provider Check Point Research. Education/research was No. 1, followed by the government/military, and health care.
Minimizing exposure to cyber risk
The success of GCC banks in managing cyber-related risks is not a coincidence. These banks have made investments in infrastructure and systems, including equipment and software, to minimize their exposure to cyber risk. This demonstrates the high priority that senior management and boards of rated GCC banks place on cyber security, as evidenced by public disclosures and interactions with senior figures.
S&P Global Ratings considers cyber risks for GCC banks to be manageable. This view is supported by data from Guidewire, which utilizes a tail-value-at-risk calculation to measure the average loss in the 40 most severe simulations in its model. Based on the December 2023 estimations in Guidewire’s model and the annualized net income and equity of banks as of September 2023, rated GCC banks could potentially lose around 2.2 percent of net income and 0.3 percent of equity. Guidewire data also indicates that the banks have sufficient operational risk capital buffers to absorb unexpected losses, with operational risk capital buffers representing 12.0 times the modeled loss.
Although S&P does not incorporate Guidewire’s loss estimates into their capital analysis, they provide valuable insight regarding GCC banks’ exposure to cyber risk and our overall assessment of their risk position. It is worth noting that Guidewire reports that 94 percent of the risk stems from the possibility of direct or contingent disruption to a bank’s business. Depending on the nature of such a disruption, it could potentially impact the creditworthiness of banks, particularly in the case of prolonged business stoppages.
Vulnerability is relatively manageable
Overall, the GCC region’s vulnerability to cyber criminal activity appears to be relatively manageable. According to SOCRadar, a cyber security company, the region accounted for approximately 2 percent of posts on the global dark web (an unindexed part of the internet that requires a specific browser), 1.8 percent of ransomware attacks, and 0.1 percent of phishing campaigns from March 2022 to February 2023.
It is worth highlighting that the UAE accounted for 53 percent of the region’s dark web threats, 30 percent of its ransomware attacks, and 64 percent of phishing attacks. The UAE’s Cybersecurity Council reported blocking over 71 million cyber attacks in the first three quarters of 2023.
No significant losses from cyber incidents for rated GCC banks
None of the GCC banks that S&P rated have reported significant financial losses or reputational damage resulting from cyber incidents in the past two years. Furthermore, the average operational risk capital charge under local capital requirements for these banks stood at 2.7 percent of total equity as of September 30, 2023 (assuming a minimum capital requirement ratio of 8 percent).
Guidewire’s estimates further support these findings, indicating that rated GCC banks could potentially lose between 0.9 percent and 4.9 percent of net income and 0.1 percent and 0.4 percent of equity based on the December 2023 estimations in their model. Additionally, among the GCC banks in our sample, those operating in multiple countries or possessing significant retail franchises reported slightly higher charges. The operational risk capital charge serves as a useful indicator of risk perception, as it is designed to provide coverage for all operational risks, including cyber risk. However, it is important to acknowledge that operational risk is based on historical data and may not accurately reflect future risk exposures.
For more news on banking & finance, click here.