Standard & Poor’s on Monday said that it could downgrade banks with weak cybersecurity, even if they haven’t been attacked.
S&P has yet to downgrade any bank that has suffered a security breach because the cyberattacks so far have not resulted in reputational issues or monetary or legal damages that significantly hurt profits, S&P analysts led by Stuart Plesser wrote in a report.
However, in the future, S&P could downgrade a bank before an actual attack if the credit ratings agency believed that the bank was ill-prepared to withstand such an attack. A downgrade could also come after an actual breach if S&P believed the breach caused significant reputational issues that could result in a major loss of customers or if the monetary or legal losses significantly hurt capital.
Should the banking industry as a whole succumb to a series of repeated, serious breaches of security, S&P could also consider whether such developments were sufficient to warrant a worsening industry risk assessment in its banking industry country risk assessments, which the agency uses to set the anchor for its bank ratings.
“We don’t believe any cyberdefense is fail proof,” S&P analysts led by Stuart Plesser wrote in the report. “But a strong, well thought out strategy, coupled with a rapid ability for a bank to understand when its systems have been maliciously penetrated and swiftly take the necessary actions, such as isolating the attack, is key to a successful cybersecurity strategy.”