Cyber risk is a growing threat to financial institutions’ operations and credit profiles globally and a danger that Gulf Cooperation Council (GCC) banks are prioritising. While no meaningful cyber-attacks (or losses) have been reported by a GCC-based bank in the last two years, there is a possibility some attacks may have gone unreported. However, these attacks are likely to have been minor incidents given the absence of significant losses in financial reports and GCC banks’ relatively low operational risk capital charges.
According to cyber security specialist Guidewire, as of year-end 2023, there was a 34.3% probability that a particular bank would be the target of a cyber-attack across the global banking industry. Further, according to cyber intelligence provider Check Point Research, banks and financial companies were the sixth most targeted sector in 2022, with an average of 1,131 average weekly attacks. Education/research was the top target, followed by the government/military, and healthcare was not far behind (see chart 1).
The GCC banks have invested in infrastructure and systems – including equipment and software – to minimise exposure to cyber risk. That, in turn, reflects the importance that rated GCC banks’ senior management and boards place on cyber security, typically ranking at the top of their agendas according to public disclosures and S&P Global Ratings’ interactions with senior figures.
GCC banks’ cyber risk appears manageable
S&P Global Ratings considers cyber risks for GCC banks to be manageable. This is supported by data from Guidewire, which uses a tail-value-at-risk calculation to measure the average loss for the 40 most severe simulations in its model. That calculation found that rated banks from the GCC might lose an estimated 2.2% of net income and 0.3% of equity, based on December 2023 estimations in the Guidewire model and banks’ annualised net income and equity as of September 2023. Guidewire data also suggests that GCC banks have sufficient operational risk capital buffers to absorb unexpected losses that represent 12.0x the modelled loss.
Business interruption is the most important risk
Despite GCC banks’ recent success in avoiding cyber criminality, they can little afford to be complacent given the variety of cyber threats and the frequency of attacks. Guidewire identifies four principal cyber threats faced by GCC banks, of which business interruption loss is easily the most important, accounting for an estimated 83% of potential losses in 2023. Contingent business interruption loss accounted for an estimated 11% of potential losses, ahead of extortion and data breaches (see chart 2). That ranking reflects the possibility of significant operational interruption due to the loss of systems and the potentially large negative impact on banks’ reputation and profits, depending on the event’s duration and recovery speed.
Cyber risk tops the agenda
Public disclosures and interactions with rated banks’ senior management suggest a relatively good awareness and prioritisation of cyber risk. Rated GCC banks continue to invest in technology, equipment, and staff training to detect and limit exposure to cyber risk. They are also updating policies and investments to account for emerging trends in cyber security. Some GCC banks have even communicated publicly on cyber risk-related Key Performance Indicators (KPIs) and are tracking their evolution.
However, no system is perfect, and continued investment and adaptation are required to minimise risk. As such, this should include customer and staff education, as the former is also key to minimising cyber threats.
Regulators are also driving cyber security
Regulators have an established role in setting GCC banks’ cyber security framework and regulatory requirements. We have seen an expansion of that function with the addition of new initiatives aimed at protecting banking systems from cyber threats.
For example, in October 2022, the Saudi Central Bank (SAMA) established a counter-fraud framework to enable banks to identify and address fraud-related risks in a standardised manner effectively. That framework comes on top of the country’s cyber security framework, issued in 2017, and its Cyber Threat Intelligence Principles, in 2022.
More recently, the UAE Banks Federation (the UBF) organised the third edition of its cyber wargames. Representatives from banks, financial technology institutions, and cyber security experts attended the event, which was supervised by the Central Bank of UAE and the UAE government’s Cyber Security Council.
How cyber risk can affect banks’ ratings
Cyber risk is factored into assessing banks’ business stability, capitalisation, and risk management adequacy. In extreme scenarios, depending on a cyber security event’s duration and recovery speed, cyber risk could negatively affect banks’ profitability. Cyber threats could also impact liquidity, such as a sudden outflow of funds, leading to liquidity pressure.
Additionally, cyber risk evolves rapidly and requires continued monitoring, training, and investment in defences if banks are to remain protected. And we recognise that no system can fully safeguard against unexpected-event risk.
