Fitch: Cyber Risk Focus Rising for US FIs, Regulators

NEW YORK--()--Cyberattacks are one of the most significant and growing risk areas for financial institutions and an increasingly relevant factor for their risk control frameworks, says Fitch Ratings. The potential for cyber risks to negatively affect operations, reputation and financial performance suggests that it will continue to be an increasing focus for financial institutions and regulators.

The recent release of an advanced notice of proposed rulemaking (ANPR) concerning enhanced standards for financial entities' cyber risk management underscores the rising concern regulators have over systemic and institutional vulnerabilities. The ANPR, which was issued jointly by the Treasury Department, Federal Reserve and FDIC in October 2016, proposes applying enhanced standards for operational practices pertaining to cybersecurity for large institutions with consolidated assets greater than $50bn. The risks of a single cyberattack on an institution leading to broader systemic risks are a focus of the ANPR and were cited as a key reason behind identifying larger banks, bank holding companies and non-bank financial institutions for enhanced management standards.

Cyberattacks are among the most unpredictable of operational and financial risks for financial institutions. The impact on institutions can range from electronic theft of data from accounts to serious reputational damage and/or disruption, resulting in loss of business. Publicly disclosed attacks in recent years throughout the world have included thefts by hackers totalling tens of millions of dollars. Thieves have also targeted international bank software and services such as the Society for Worldwide Interbank Financial Telecommunication on multiple occasions in recent years.

The unpredictability of cyber risks means that integrating cybersecurity into institutions' risk control infrastructure, frameworks and information technology (IT) budgets are keys to deterring and mitigating the impact of attacks. This is especially the case for larger financial institutions with significant consumer-facing activities, which are at greater risk of attack owing to their substantial customer data. These institutions come under frequent cyberattack from groups seeking to steal private consumer and business data.

That said, these targeted institutions tend to benefit from large-scale IT and operational resources to build relatively robust risk control frameworks. They also gain from meaningful regulatory oversight and requirements regarding cybersecurity standards.

Beyond the regulatory response, financial institutions have been responding to the growing threat in multiple ways. Banks in the US have improved coordination with the formation of a joint working group on cybersecurity in August this year. Frameworks for industry best practices on cybersecurity have also been established. Fitch believes that improved information sharing among institutions could result in better risk detection and response, although it will not completely mitigate the risks. A comprehensive structure that shapes institutions' risk controls in the form of a cybersecurity framework could significantly improve protections.

Additional information is available on www.fitchratings.com.

The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.

ALL FITCH CREDIT RATINGS ARE SUBJECT TO CERTAIN LIMITATIONS AND DISCLAIMERS. PLEASE READ THESE LIMITATIONS AND DISCLAIMERS BY FOLLOWING THIS LINK: HTTPS://WWW.FITCHRATINGS.COM/UNDERSTANDINGCREDITRATINGS. IN ADDITION, RATING DEFINITIONS AND THE TERMS OF USE OF SUCH RATINGS ARE AVAILABLE ON THE AGENCY'S PUBLIC WEB SITE AT WWW.FITCHRATINGS.COM. PUBLISHED RATINGS, CRITERIA, AND METHODOLOGIES ARE AVAILABLE FROM THIS SITE AT ALL TIMES. FITCH'S CODE OF CONDUCT, CONFIDENTIALITY, CONFLICTS OF INTEREST, AFFILIATE FIREWALL, COMPLIANCE, AND OTHER RELEVANT POLICIES AND PROCEDURES ARE ALSO AVAILABLE FROM THE CODE OF CONDUCT SECTION OF THIS SITE. FITCH MAY HAVE PROVIDED ANOTHER PERMISSIBLE SERVICE TO THE RATED ENTITY OR ITS RELATED THIRD PARTIES. DETAILS OF THIS SERVICE FOR RATINGS FOR WHICH THE LEAD ANALYST IS BASED IN AN EU-REGISTERED ENTITY CAN BE FOUND ON THE ENTITY SUMMARY PAGE FOR THIS ISSUER ON THE FITCH WEBSITE.

Copyright © 2016 by Fitch Ratings, Inc., Fitch Ratings Ltd. and its subsidiaries. 33 Whitehall Street, NY, NY 10004. Telephone: 1-800-753-4824, (212) 908-0500. Fax: (212) 480-4435. Reproduction or retransmission in whole or in part is prohibited except by permission. All rights reserved. In issuing and maintaining its ratings and in making other reports (including forecast information), Fitch relies on factual information it receives from issuers and underwriters and from other sources Fitch believes to be credible. Fitch conducts a reasonable investigation of the factual information relied upon by it in accordance with its ratings methodology, and obtains reasonable verification of that information from independent sources, to the extent such sources are available for a given security or in a given jurisdiction. The manner of Fitch's factual investigation and the scope of the third-party verification it obtains will vary depending on the nature of the rated security and its issuer, the requirements and practices in the jurisdiction in which the rated security is offered and sold and/or the issuer is located, the availability and nature of relevant public information, access to the management of the issuer and its advisers, the availability of pre-existing third-party verifications such as audit reports, agreed-upon procedures letters, appraisals, actuarial reports, engineering reports, legal opinions and other reports provided by third parties, the availability of independent and competent third- party verification sources with respect to the particular security or in the particular jurisdiction of the issuer, and a variety of other factors. Users of Fitch's ratings and reports should understand that neither an enhanced factual investigation nor any third-party verification can ensure that all of the information Fitch relies on in connection with a rating or a report will be accurate and complete. Ultimately, the issuer and its advisers are responsible for the accuracy of the information they provide to Fitch and to the market in offering documents and other reports. In issuing its ratings and its reports, Fitch must rely on the work of experts, including independent auditors with respect to financial statements and attorneys with respect to legal and tax matters. Further, ratings and forecasts of financial and other information are inherently forward-looking and embody assumptions and predictions about future events that by their nature cannot be verified as facts. As a result, despite any verification of current facts, ratings and forecasts can be affected by future events or conditions that were not anticipated at the time a rating or forecast was issued or affirmed.

The information in this report is provided "as is" without any representation or warranty of any kind, and Fitch does not represent or warrant that the report or any of its contents will meet any of the requirements of a recipient of the report. A Fitch rating is an opinion as to the creditworthiness of a security. This opinion and reports made by Fitch are based on established criteria and methodologies that Fitch is continuously evaluating and updating. Therefore, ratings and reports are the collective work product of Fitch and no individual, or group of individuals, is solely responsible for a rating or a report. The rating does not address the risk of loss due to risks other than credit risk, unless such risk is specifically mentioned. Fitch is not engaged in the offer or sale of any security. All Fitch reports have shared authorship. Individuals identified in a Fitch report were involved in, but are not solely responsible for, the opinions stated therein. The individuals are named for contact purposes only. A report providing a Fitch rating is neither a prospectus nor a substitute for the information assembled, verified and presented to investors by the issuer and its agents in connection with the sale of the securities. Ratings may be changed or withdrawn at any time for any reason in the sole discretion of Fitch. Fitch does not provide investment advice of any sort. Ratings are not a recommendation to buy, sell, or hold any security. Ratings do not comment on the adequacy of market price, the suitability of any security for a particular investor, or the tax-exempt nature or taxability of payments made in respect to any security. Fitch receives fees from issuers, insurers, guarantors, other obligors, and underwriters for rating securities. Such fees generally vary from US$1,000 to US$750,000 (or the applicable currency equivalent) per issue. In certain cases, Fitch will rate all or a number of issues issued by a particular issuer, or insured or guaranteed by a particular insurer or guarantor, for a single annual fee. Such fees are expected to vary from US$10,000 to US$1,500,000 (or the applicable currency equivalent). The assignment, publication, or dissemination of a rating by Fitch shall not constitute a consent by Fitch to use its name as an expert in connection with any registration statement filed under the United States securities laws, the Financial Services and Markets Act of 2000 of the United Kingdom, or the securities laws of any particular jurisdiction. Due to the relative efficiency of electronic publishing and distribution, Fitch research may be available to electronic subscribers up to three days earlier than to print subscribers.

For Australia, New Zealand, Taiwan and South Korea only: Fitch Australia Pty Ltd holds an Australian financial services license (AFS license no. 337123) which authorizes it to provide credit ratings to wholesale clients only. Credit ratings information published by Fitch is not intended to be used by persons who are retail clients within the meaning of the Corporations Act 2001.

Contacts

Fitch Ratings
Joo-Yung Lee
Managing Director
Financial Institutions
+1 212 908-0560
33 Whitehall Street
New York, NY 10004
or
Sean Pattap
Senior Director
Financial Institutions
+1 212 908-0642
or
Justin Patrie, CFA
Fitch Wire
+1 646 582-4964
or
Media Relations:
Hannah James, New York, + 1 646-582-4947
Email: hannah.james@fitchratings.com

Contacts

Fitch Ratings
Joo-Yung Lee
Managing Director
Financial Institutions
+1 212 908-0560
33 Whitehall Street
New York, NY 10004
or
Sean Pattap
Senior Director
Financial Institutions
+1 212 908-0642
or
Justin Patrie, CFA
Fitch Wire
+1 646 582-4964
or
Media Relations:
Hannah James, New York, + 1 646-582-4947
Email: hannah.james@fitchratings.com