GCC banks' strong capitalisation supports resilience to cyber risks
Banks in the GCC countries are managing their exposure to cyber risk effectively, including through investment in digital security, S&P Global Ratings said in a report on Tuesday.
GCC banks, the report noted, have reported only a handful of minor cyberattacks over the past decade. Yet management of cyber risk has taken on greater importance as the region's banks moved activities to online platforms during the pandemic.
That shift has been conducted with minimal disruption, thanks to years of investment in infrastructure and systems. At the same time the GCC banks' strong profitability, capitalisation, and liquidity provide a financial buffer against potential incidents, said S&P.
S&P said its view of manageable cyber risk for GCC banks is supported by data from cyber security specialist Guidewire.
Guidewire estimates that the region's top 19 banks (for which data was available) would suffer an average 7.5 per cent fall in net income and a 0.6 per cent decline in equity, based on figures from the end of 2021, under a high-severity cyber incident; at the same time, the banks' average operational risk capital charge was 3.6 per cent of total equity.
'We believe the (Guidewire) data suggests that GCC banks appear to have sufficient operational risk capital to cover losses related to cyber risk,' S&P said.
Cyber risk is a mounting threat to the operations and credit profiles of financial institutions, and never more so than since the pandemic accelerated the shift to online banking.
There have been no major interruptions to the operations of banks in GCC countries, however.
S&P believes GCC banks' exposure to cyber risk is manageable, assuming they continue to invest in cyber security and proactively manage risk, taking into consideration the evolving nature of threats.
'We note that GCC banks have reported only a handful of digital breaches and cyberattacks over the past decade. While some might have gone unreported, it is likely these were minor incidents given the absence of significant losses in financial reports and the banks' relatively low operational risk capital charges,' the ratings agency added.
Guidewire's findings suggest that the cyber risk profile of GCC banks is comparable to developed markets, rather than emerging market banks.
'It is notable that emerging markets are significantly more prone than the GCC to indirect business interruption issues, which stem from problems at third-party service providers. That could be explained by GCC countries' significant investment in infrastructure, which appears to have reduced indirect business interruption risks,' S&P said.