Gulf banks remain on par with their Western counterparts.
The resilience of GCC banks to cyberattacks was sorely tested during the pandemic as customers shunned physical interaction for online banking. The overnight change in behavior exposed many financial institutions worldwide to disruption in day-to-day business operations. But a new report says that years of investment in infrastructure, systems and software shielded GCC banks, and that they are well positioned to meet future attacks.
S&P Global Ratings estimates the region’s top 19 banks would suffer an average 7.5% fall in net income and just a 0.6% decline in equity in a serious hacking incident. Operational-risk capital, which includes cyber-risk, stood at 3.4% of total equity at the end of 2021 and implies GCC banks view threats from cyberattacks as low. Even so, threats continue to evolve.
S&P authors add that data breaches are among the most significant threats facing GCC lenders. A sophisticated attack could compromise systems and allow access to sensitive customer information. “Ransomware-related attacks leading to data leaks increased by 82% in 2021,” says the rating agency, citing the 2022 Global Threat Report from cybersecurity firm CrowdStrike.
Costs to organizations from such attacks are escalating fast. In a June blog post, Ryan Olson, vice president of Unit 42 incident response and threat research team at Palo Alto Networks, wrote that the average ransom payment is now approaching $1 million. Ransom is only one of the techniques used against organizations.
“Cyber-risk can take the form of data breach and include theft of internal data by third parties and direct or indirect business interruption—for example, distributed denial of service attacks,” says Mohamed Damak, senior director of financial services, S&P Global Ratings.
In simulations, S&P says, “banks with higher geographic diversification face greater risks, as do those with more-extensive retail operations.” The conclusion builds on earlier findings by cybersecurity specialist Guidewire. However, Guidewire’s analysis excludes the financial impact of a cyberattack on a bank’s business position, revenue loss due to reputation damage, or cyber-ransom.
S&P Global Ratings, which includes these factors in its credit ratings, argues that a large-scale attack could have systemic implications and force government intervention to stabilize the sector. But the absence of significant losses in banks’ financial statements provides reassurance. According to S&P, GCC banks’ ongoing resilience is boosted by strong profitability, capitalization and liquidity.
Regulators Raise The Bar
Local regulators have also minimized the risk of major cyber incidents. In 2017, the Saudi central bank issued updated rules regarding cybersecurity that specify governance, risk management and compliance requirements. More recently, in 2021, the Central Bank of the UAE established its Networking and Cyber Security Operations Centre to help protect the local financial system.
The region’s cyber-resilience is strong when benchmarked against other emerging markets; Guidewire’s findings suggest that the cyber-risk profile of GCC banks is more comparable to those of developed markets. “It is notable that emerging markets are significantly more prone than the GCC to indirect business interruption issues, which stem from problems at third-party service providers,” according to S&P.
In recent years, GCC governments have turned to China for support in developing their digital economies. In contrast, some GCC states have agreed to a rapprochement with Israel, known as the Abraham Accords. Analysts say both developments will significantly boost the region’s resistance to cyberattacks and strengthen the private sector’s security credentials.
That may provide GCC banks a tactical advantage during the upheaval in the global payments market posed by the competitive threat from cryptocurrencies. This sector has recently experienced catastrophic failures in cybersecurity.
And the future role of GCC banks in the region’s digital transformation is expected to be significant. According to consulting firm A.T. Kearney Middle East, the e-commerce business in Gulf countries could reach $50 billion by 2025, up from around $22 billion in 2020.
