Having reported only a handful of minor cyberattacks over the past decade, banks in the Gulf Cooperation Council (GCC) are managing their exposure to cyber risk effectively, including through adequate digital security investments.
This formed the primary narrative of the ‘Gulf Banks’ Strong Capitalisation Supports Resilience To Cyber Risk’ report, which has recently been published by its authors S&P Global Ratings.
Despite the fortunate lack of cyberattacks being recorded in the region, management of cyber risk has taken on greater importance as banks transitioned to online platforms during the pandemic.
That shift has been conducted with minimal disruption, being supported by infrastructure and system investments. At the same time the banks’ strong profitability, capitalisation and liquidity provide a financial buffer against potential incidents.
Potential losses
The region’s top 19 banks (for which data was available) are forecast to suffer an average 7.5 per cent fall in net income and a 0.6 per cent decline in equity if a high-severity cyber incident occurred; according to Guidewire.
At the same time, banks’ average operational risk capital charge was 3.6 per cent of total equity.
The data suggests that GCC banks appear to have sufficient operational risk capital behind them to cover losses related to cyber risk.
The risk of cyberattacks appears even higher for banks with greater geographic diversification (particularly those with operations in regions more prone to cyber-attacks than the GCC) and banks with extensive retail operations, which have proven more likely to attract the interest of hackers.
Guidewire’s findings suggest that the cyber risk profile of GCC banks is comparable to developed markets, rather than emerging market banks. It is notable that emerging markets are significantly more prone than the GCC to indirect business interruption issues, which stem from problems at third-party service providers.
That could be explained by GCC countries’ significant investment in infrastructure, which appears to have reduced indirect business interruption risks.
