S&P to include hacking risks in credit rating of Asia-Pacific banks

Negative ratings momentum could result in jurisdictions where the entire industry suffers serious data breaches repeatedly, or where regulators are particularly lax, the agency said

With the surge in inter-connected banking on digital platforms, global rating agency Standard and Poor’s (S&P) today said it is incorporating risks of hacking into rating of financial institutions.

Asia-Pacific banks have been hacked before, and will be hacked again, the agency said in a statement, adding that the region's ever-more open and interconnected banking systems raise the threat of hacks and data breaches.

Apart from creating direct monetary losses, data breaches can damage the reputation of a bank and hit its credit profile. In jurisdictions where the entire industry suffers serious data breaches repeatedly, or where regulators are particularly lax, negative ratings momentum could result, the agency added.

Nico DeLange, credit analyst, S&P Global Ratings, said, "While we have not downgraded any Asia-Pacific bank as the result of a cyberattack, the hit to individual institutions could be crippling. This could be particularly true for banks that have not invested enough in their cybersecurity".

Asia-Pacific financial institutions are increasingly on the cloud, sharing client data with a fintech firm, or relying on third-party service providers. With the addition of each new partner into a digital system, hackers get a new point of entry. Attackers targeting entities with weak security could get a back door into the data of larger, better defended banks.

Australia, Hong Kong, Singapore, South Korea, mainland China, India, New Zealand and Japan are at various stages toward implementing open banking. A major bank could partner with a small fintech firm, which may not have resources for a robust cyber defence, it said.

"To prevent attacks, Asia-Pacific regulators will need a dogged determination to understand and manage risks," the agency said. "This points to the need for collaboration, and cross-border information sharing to build cyber resilience across entities to prevent systemic risk."

Asia-Pacific banks also often rely on partners for their cloud computing and open banking platforms. This involves a fresh set of risks. Amazon Web Services (AWS), Google Cloud Platform, IBM Cloud, Oracle Cloud, and Microsoft Azure control about 80 per cent of the cloud service market, according to Gartner, a researcher. These five entities have access to key banking data and support core banking services.