IT security can affect bank credit ratings: Standard & Poor’s

Credit ratings agency Standard & Poor’s has recently signalled that “cybersecurity as an emerging threat … has the potential to pose a higher risk to financial institutions in the future, and possibly result in [credit] downgrades.”

The ratings agency has gone so far as to say that if a bank or other financial institution is ill-prepared to withstand an IT security breach,  it could be downgraded even without suffering an actual attack.  And (more conventionlly) a downgrade may also be warranted after a breach, if the breach causes significant reputational issues with the potential to result in a major loss of customers, or if the financial or legal losses significantly affects the bank’s balance sheet.

With that in mind, Standard & Poor’s notes that it has begun to ask a range of questions regarding financial institutions’ preparedness against IT security breaches, including:

  • Do you have a robust, well-documented program to monitor IT security risks?
  • Does the financial institution have any third-party vendor oversight?  If so, what kind and how much?
  • How long has it typically taken to detect an attack?
  • What containment procedures are in place if the financial institution is breached?
  • Are emergency scenarios test-run?
  • What software or other techniques are used to monitor attacks?
  • What kind of expertise about IT security exists on the board of directors?
  • How much does the financial institution spend on IT security, and what resources does it devote?  What is the total tech budget this year versus last?
  • Does the financial institution have any insurance to compensate for an IT security breach?

Link: Standard & Poor’s article