In a note published last week, ratings agency Standard & Poors (S&P) said it viewed banks as natural targets facing a high threat of cyber-risk, although it considered the global credit risk of a cyber attack to be only medium, because it believes large banks have taken appropriate steps to mitigate known risks. However, cybersecurity is a continual battle, and S&P flagged the possibility of negative rating actions against banks with weak cybersecurity in the future.
Although there have been a number of security breaches, S&P has not as yet taken ratings action against any bank, as to date those breaches have not resulted in significant reputational or monetary damages. Nonetheless, S&P indicated that it might well downgrade a bank if a breach created serious reputational issues that could cause a significant loss of customers, or if the monetary or legal losses flowing from the breach materially impacted the bank's capital.
It is important to note that S&P also suggested it might downgrade a bank even before an attack occurred where it believed the bank was ill-prepared to withstand a cyber attack. The note sets out some of the questions that S&P is currently asking bank management teams, in order to assess how well prepared they in fact are.
With cybersecurity already at the forefront of regulator's minds in the UK (UK: Cyber-security – what level of security will be sufficient to meet a firm’s regulatory obligations?) and an increasingly large focus of the EU (The EU’s fight against cybercrime continues – attacks against information systems), potential action by ratings agencies is yet another in the long list of reasons for banks to make cybersecurity a priority.
![]() |
![]() |
| Ben Worrall Associate +442074662385 | Karen Anderson Partner +442074662404 |
Key contacts
Karen Anderson
Consultant, London
Susannah Cogman
Partner, London
Elizabeth Head
Of Counsel, London
Kelesi Blundell
Partner, London
Marina Reason
Partner, London
Hywel Jenkins
Partner, London
Chris Ninan
Partner, London
Jon Ford
Partner, London
Clive Cunningham
Consultant, London
Simone Hui
Of Counsel, Hong Kong
Chee Hian Kwah
Director, Prolegis LLC, Singapore
Valerie Tao
Knowledge Lawyer, Hong Kong
Cat Dankos
Senior Regulatory Consultant, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.

