Bigger Not Always Better for Bank Cyber Risk Scores

Internet security shield business concept. Business woman applies finger to fingerprint scanner to access database, data protection concept. Templates cybersecurity. Data security isometric concept

Big banks are not automatically well equipped to combat the rapidly growing problem of cybercrimes, according to a new Fitch Ratings report. “Exploring Bank Cybersecurity Risk” outlines how cybersecurity issues can impact bank credit ratings.

Fitch collaborated on the report with SecurityScorecard, a leading cybersecurity risk assessment company, to gain insights into bank cyber risk management and their relative vulnerability to a cyber event.

SecurityScorecard provides an “outside-in” view of an entity’s cyber hygiene, enabling market participants to understand cybersecurity risk in a transparent way with continuous cybersecurity scores.

Using SecurityScorecard’s cybersecurity scores, Fitch analyzed 484 banks across the world representing $111 trillion of aggregate assets or 70% of global banking assets. The analysis revealed that banks with higher credit ratings typically exhibited better cybersecurity scores than banks with lower credit ratings, while developed market banks scored higher with less variability vs. emerging market banks.

Perhaps the most surprising conclusion in Fitch’s sample analysis is that financial size, in terms of assets or operating income is not necessarily a good predictor of cyber health. “Larger banks are more likely to have complex and also legacy IT infrastructure compared to smaller banks, which could increase cybersecurity risk if not properly managed,” said Managing Director Christopher Wolfe.

Cybersecurity risk is a subset of the Risk Controls and Risk Appetite component of Fitch’s Bank Rating Criteria. A material cyber breach would represent an event risk which could have rating implications. While Fitch has not downgraded a bank solely in response to a cybersecurity event to date, cyber breaches have resulted in heightened rating sensitivities for banks, indicating that their ratings are at more risk of a downgrade as a result of the breach.

“Cybersecurity risk scores bring visibility into this opaque risk, and these insights can help spotlight vulnerabilities,”

Fitch also announced a partnership with SecurityScorecard in a separate press release published today (‘Fitch Ratings Teams With SecurityScorecard to Assess Digitalization, Cyber Risk’). Fitch Ventures, the equity investment arm of Fitch Group, recently supported SecurityScorecard’s Series E preferred stock financing round.

‘Exploring Bank Cybersecurity Risk’ is available at ‘www.fitchratings.com’. More information on SecurityScorecard is available at ‘www.securityscorecard.com’.