‘GCC banks’ exposure to cyber risk is manageable’

Banks in the Gulf Cooperation Council (GCC) are managing their exposure to cyber risk effectively, including through investment in digital security, S&P Global Ratings has said in a report published on Tuesday.
S&P Global Ratings believes GCC banks’ exposure to cyber risk is manageable, assuming they continue to invest in cyber security and proactively manage risk, taking into consideration the evolving nature of threats. We note that GCC banks have reported only a handful of digital breaches and cyberattacks over the past decade. While some might have gone unreported, it is likely these were minor incidents given the absence of significant losses in financial reports and the banks’ relatively low operational risk capital charges.
Despite minor incidents of cyberattacks, the report said, “Yet the management of cyber risk has taken on greater importance as the region’s banks moved activities to online platforms during the pandemic. That shift has been conducted with minimal disruption, thanks to years of investment in infrastructure and systems. At the same time the banks’ strong profitability, capitalisation, and liquidity provide a financial buffer against potential incidents.”
“Our view of manageable cyber risk for GCC banks is supported by data from cyber security specialist Guidewire,” it said.
Guidewire, a cyber security specialist, estimates that the region’s top 19 banks for which data was available would suffer an average 7.5 percent fall in net income and a 0.6 percent decline in equity, based on figures from the end of 2021, under a high-severity cyber incident; at the same time, the banks’ average operational risk capital charge was 3.6 percent of total equity.
“We believe the data suggests that GCC banks appear to have sufficient operational risk capital to cover losses related to cyber risk. The risk of cyberattacks appears even higher for banks with greater geographic diversification, particularly those with operations in regions more prone to cyber-attacks than the GCC and banks with extensive retail operations, which have proven more likely to attract the interest of hackers,” it said.
Guidewire’s findings suggest that the cyber risk profile of GCC banks is comparable to developed markets, rather than emerging market banks. It is notable that emerging markets are significantly more prone than the GCC to indirect business interruption issues, which stem from problems at third-party service providers. That could be explained by GCC countries’ significant investment in infrastructure, which appears to have reduced indirect business interruption risks.