S&P Global Ratings believes GCC banks’ exposure to cyber risk is manageable, assuming they continue to invest in cyber security and proactively manage risk, taking into consideration the evolving nature of threats.
It notes that GCC banks have reported only a handful of digital breaches and cyberattacks over the past decade. While some might have gone unreported, it is likely these were minor incidents given the absence of significant losses in financial reports and the banks’ relatively low operational risk capital charges.
Cyber risk is a mounting threat to the operations and credit profiles of financial institutions, and never more so than since the pandemic accelerated the shift to online banking.
There have been no major interruptions to the operations of banks in GCC countries, however. For example, in Saudi Arabia, mortgage lending continued to expand at double-digit rates despite the digital shift. GCC banks laid the foundation for success over several years by investing in infrastructure and systems, including equipment and software, to minimize their exposure to cyber risk, while also benefiting from supportive regulatory frameworks and cyber risk requirements.
THE S&P view of manageable cyber risk for GCC banks is supported by data from cyber security specialist Guidewire. It estimates that the region’s top 19 banks (for which data was available) would suffer an average 7.5% fall in net income and a 0.6% decline in equity, based on figures from the end of 2021, under a high-severity cyber incident; at the same time, the banks’ average operational risk capital charge was 3.6% of total equity.
S&P believes the data suggests that GCC banks appear to have sufficient operational risk capital to cover losses related to cyber risk.
Also published on Medium.