Credit ratings agency Standard & Poor’s has recently signalled that “cybersecurity as an emerging threat … has the potential to pose a higher risk to financial institutions in the future, and possibly result in [credit] downgrades.”
The ratings agency has gone so far as to say that if a bank or other financial institution is ill-prepared to withstand an IT security breach, it could be downgraded even without suffering an actual attack. And (more conventionlly) a downgrade may also be warranted after a breach, if the breach causes significant reputational issues with the potential to result in a major loss of customers, or if the financial or legal losses significantly affects the bank’s balance sheet.
With that in mind, Standard & Poor’s notes that it has begun to ask a range of questions regarding financial institutions’ preparedness against IT security breaches, including:
- Do you have a robust, well-documented program to monitor IT security risks?
- Does the financial institution have any third-party vendor oversight? If so, what kind and how much?
- How long has it typically taken to detect an attack?
- What containment procedures are in place if the financial institution is breached?
- Are emergency scenarios test-run?
- What software or other techniques are used to monitor attacks?
- What kind of expertise about IT security exists on the board of directors?
- How much does the financial institution spend on IT security, and what resources does it devote? What is the total tech budget this year versus last?
- Does the financial institution have any insurance to compensate for an IT security breach?