Fitch Ratings warns of credit implications as cyber attacks pose risks to structured finance deals
Jan 26, 2024
New Delhi [India], January 26 : Fitch Ratings has raised concerns about the potential credit implications for structured finance (SF) transactions in the face of cyber-attacks, even if these attacks do not directly lead to payment defaults.
As per Fitch Ratings, the impact on SF notes could result from operational disruptions, a re-evaluation of risk management quality, or spill-overs affecting underlying obligor behaviour. Ultimately, a cyber attack could result in a missed bond payment, creating credit implications for SF transactions.
The severity and duration of a cyber attack, along with the effectiveness of backup systems and mitigants, will determine the impact on transaction parties.
Fitch has outlined its treatment of payment force majeure, including consequences of cyber attacks, in its updated Global Structured Finance Rating Criteria published on January 19, 2024.
A missed payment due to a cyber attack considered as payment force majeure may not immediately constitute a default.
However, an extended non-payment of non-deferrable amounts could be deemed a default on the obligation rating, typically after 30 calendar days from the missed payment date.
Fitch's SF analysis considers the presence and effectiveness of structural features to mitigate payment interruption risks.
Liquidity facilities and deferrable bond payments are factors that could likely mitigate risks arising from a cyber attack affecting the collection process.
The analysis also considers factors that can reduce the impact of such events, such as the frequency of fund transfers to the transaction account by servicers.
A cyber attack could disrupt asset pool servicing by causing IT system shutdowns due to unauthorized third-party access or locking out relevant business segments from specific IT systems.
If a servicer is temporarily unable to identify collected payments or service the underlying portfolio, it may lead to delays and complications.
The impact of a cyber attack on a servicer, if not resolved swiftly with alternative arrangements in place, could delay reporting, affecting external parties involved in calculating and distributing interest and principal amounts to noteholders.
Reputational risk is also a concern, especially in cases involving data theft, leading to potential business loss, fines, or lawsuits, jeopardizing a servicer's future viability.
Impaired servicing could affect SF transaction performance if obligors' willingness to service debt declines due to customer data theft.
Fitch Ratings already considers cybersecurity protocols and disaster recovery plans when assigning and reviewing operational risk ratings for loan servicers.
Key protections highlighted include robust endpoint security infrastructure, intrusion prevention and detection tools, clear patch management strategies, network segregation, staff training, and cybersecurity insurance coverage.
As cyber threats continue to evolve, Fitch emphasizes the importance of vigilance and robust risk management practices in safeguarding the stability and creditworthiness of structured finance deals against potential cyber risks.