Efforts helpful in establishing ‘minimum standards’New market analysis from Fitch Ratings asserts cyber-threats likely to increase in size, volume and sophistication. Learn more here.
Fitch Ratings-New York/Chicago-25 May 2021: U.S. cyber legislation and regulation are rapidly evolving, as seen with the President’s recent Executive Order 14028 on cybersecurity, five bipartisan bills introduced in the House of Representatives and numerous state legislatures addressing cybersecurity and privacy, Fitch Ratings says.
These regulations are helpful in establishing minimum standards. However, increased regulation in and of itself is not likely to fully thwart cyberattacks, which are expected to increase in size, volume and sophistication globally. The increase in attacks and severity has the potential to become a credit issue, and Fitch will evaluate a major incident within the context of each issuer’s credit profile.
Risk Of Prosecution Low, Profit Incentive High
To date, the risk of criminal prosecution remains low, while profit incentives for cyber-attackers remains high. The effects of regulation will be asymmetrical depending on the sector. Less regulated sectors, including non-financial corporates, will be more affected by increased regulatory oversight than sectors such as banks and insurance, which are already highly regulated. Over the longer term, we see more regulation related to cybersecurity as broadly beneficial, as this will require sectors that have lagged on cybersecurity to increase investments against this risk.
While increased cybersecurity regulations should be positive, the proliferation of uncoordinated or piecemeal cybersecurity regulations and laws can actually make managing cyber risk both more difficult in terms of compliance, cost and transparency. Cyber risk is unique in that attackers operate globally, and therefore global coordination on cybersecurity standards and enforcement are critical for long-term success to combat this growing risk.
A Positive For Bolstering Cyber Hygiene
Fitch views legislation that mandates layered controls and cyber basics, such as network segmentation, multifactor authentication, encryption, identity and access management, and cyber incident reporting, as positive for bolstering cyber hygiene. The recent high-profile cyber attack of the Colonial Pipeline underscores the importance of network segmentation between information technology (IT) and operational technology (OT). The prevention or mitigation of cyber attacks when they do occur is essential for all sectors of the economy, particularly US critical infrastructure.
We expect the financial, reputational and legal risks to continue to grow. Along with the potential for federal legislation or executive action, states such as New York, California, Virginia, Nevada and Massachusetts have recently enacted their own legislation aimed at identifying and assessing cybersecurity risks that may threaten the security or integrity of nonpublic information. These laws carry potentially steep penalties for violations, highlighting the need for regulatory compliance. The New York Department of Financial Services has one of the most comprehensive state laws related to cyber risk. It covers several common aspects of cyber risk, has exclusions related to size, and carries penalties for lack of compliance.
Related: Bigger Not Always Better For Bank Cyber-Risk Scores
Big banks are not automatically well equipped to combat the rapidly growing problem of cybercrimes, according to a new Fitch Ratings report. “Exploring Bank Cybersecurity Risk” outlines how cybersecurity issues can impact bank credit ratings.
Fitch collaborated on the report with SecurityScorecard, a leading cybersecurity risk assessment company, to gain insights into bank cyber risk management and their relative vulnerability to a cyber event. SecurityScorecard provides an “outside-in” view of an entity’s cyber hygiene, enabling market participants to understand cybersecurity risk in a transparent way with continuous cybersecurity scores.
Using SecurityScorecard’s cybersecurity scores, Fitch analyzed 484 banks across the world representing $111 trillion of aggregate assets or 70% of global banking assets. The analysis revealed that banks with higher credit ratings typically exhibited better cybersecurity scores than banks with lower credit ratings, while developed market banks scored higher with less variability vs. emerging market banks.
Perhaps the most surprising conclusion in Fitch’s sample analysis is that financial size, in terms of assets or operating income is not necessarily a good predictor of cyber health. “Larger banks are more likely to have complex and also legacy IT infrastructure compared to smaller banks, which could increase cybersecurity risk if not properly managed,” said Managing Director Christopher Wolfe.