While there are not yet any reports of financial losses, the data breaches acknowledged by Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce (CIBC) last week could cause reputational damage, says Moody’s Investors Service in a report published on Monday.
Last week, both banks announced they were the targets of apparent security breaches involving 50,000 BMO clients and 40,000 clients of Simplii, CIBC’s direct banking affiliate.
The perpetrators allegedly demanded payments from the banks to prevent them from publishing the client information.
There’s no indication that any of their clients have lost any money as a result of the breach, the report says, and the banks are committed to reimbursing clients for any losses. Nevertheless, the reputational risk to the banks from the security breach is “credit negative,” the report says.
“Current and potential customers may react to the perception that these banks have not sufficiently protected their personal and financial data by taking their business elsewhere,” it says.
Indeed, cybersecurity threats are an increasing credit risk for banks and other financial institutions generally. In addition to the possible reputational damage, “Such risks expose an institution to legal actions, regulatory scrutiny, fines and other unexpected expenses,” the report says.
These risks will likely continue to grow, it warns. “As banks continue to invest in digitization initiatives intended to improve the customer experience and create cost efficiencies while improving risk management capabilities, the prospect of successful cyber-attacks increases,” the report says.
And, at the same time, attackers are becoming more sophisticated, further intensifying the risks. “Banks globally are prime targets for cyber criminals and are subject to an escalating rate of attacks, which occur now on a daily basis,” the report says.
The relatively limited scope of the alleged breach, given that both banks have millions of clients, “indicates internal controls to limit the scope of a successful intrusion once access management controls have been breached,” the report says.