‘Systemic’ Cyberattack Presents Real Risk for US Banks

US banks face material risks from ‘systematic’ cyberattacks despite being able to withstand average modelled cyber risk losses, according to Fitch.

In a new report entitled “Quantifying US Bank Systemic Cybersecurity Risk” it was found that banks could still encounter material risks from tail events of major attacks.

The credit rating agency conducted an analysis with CyberCube to analyze the potential impact of systemic cyber events on 4,900 US banks under various scenarios over a one-year period.

CyberCube’s model focuses on “single points of failure” (SPoF) which includes technologies such as operating systems, and cloud service providers.

According to the report, a cyber-attack on a particular SPof could have a “cascading impact” on the identified connected banks.

“Our work with Fitch has identified the top threat scenarios for the US banking system, and the repercussions a cyber risk might have on an individual bank,” said Souki Chahid, principal product advisor at CyberCube.

“A greater understanding of the inherent risks faced by the banking sector will support banks in their decision-making with regards to their insurance purchasing and their operational risk.”

The financial cost of a cyber event can go beyond a requested ransom payment. Additional costs can also include data restoration, investigation and response, regulatory or legal fines, and brand damage.

“Systemic cyber risks are as important to analyze as idiosyncratic cyber risks,” said Fitch managing director Christopher Wolfe.

“Cyber risk is evolving into broader aggregations and concentrations within the vendor management and supply chain. An incident at a single critical third or fourth-party vendor could lead to significant business interruption losses.”

In July, US banks were among hundreds of companies hit by a global ransomware attack with criminals attempting to extort $70 million in ransom payments.

In that attack, Kaseya – which provides IT infrastructure to many banking companies throughout the country – was targeted by criminal hacking gang REvil.