Strong profitability, capitalisation and liquidity provide a financial buffer to the region's lenders against potential cyber incidents, the rating agency said in a report.
They have reported only a “handful of minor cyber attacks” over the past decade, the report said.
The pandemic has accelerated digitisation of the global banking sector — a trend that was already under way in the Gulf — at an unprecedented rate. More consumers began transacting online at the peak of the pandemic-induced movement curbs.
Amid the accelerated digital transformation and online purchasing, cyber risk emerged as one of the major threats to the operations and credit profiles of financial institutions, S&P said.
“GCC banks laid the foundation for success over several years by investing in infrastructure and systems, including equipment and software, to minimise their exposure to cyber risk … while also benefitting from supportive regulatory frameworks and cyber risk requirements,” the rating agency said.
“There have been no major interruptions to the operations of banks in GCC countries … GCC banks' exposure to cyber risk is manageable, assuming they continue to invest in cyber security and proactively manage risk, taking into consideration the evolving nature of threats.”
Globally, cyber criminal activities were projected to inflict damage worth about $6 trillion in 2021, a study by research company Cybersecurity Ventures found.
Cyber crime costs are expected to increase nearly 15 per cent on a yearly basis worldwide over the next three years to reach $10.5tn annually by 2025 — from $3tn in 2015, the California-based firm said.
Over the years, the GCC banks have adopted strong regulatory frameworks focused on improving cyber security.
For example, the Central Bank of the UAE last year established a networking and cyber security operations centre to protect the local financial system against cyber attacks.
The Saudi Central Bank's cyber security framework, issued in 2017, defined requirements around governance, risk management, compliance, operations, technology and the use of third-party cyber security services by regulated entities. This year, those rules were supplemented with a document on cyber threat intelligence principles, which addressed the production and dissemination of intelligence aimed at identifying and minimising cyber threats.
The Central Bank of Qatar also published a circular in 2018 outlining the regulatory requirements banks must fulfil to effectively manage cyber risk.
Cyber risks range from a temporary interruption of services to a complete shutdown of IT systems.
They can harm banks' credit profiles through reputational damage, as well as monetary loss. In extreme cases, they could have negative implications on liquidity through a sudden outflow of funds.
Data breaches are among the biggest risks, said S&P report, which is supported by data from cyber security specialist Guidewire.
The data estimated that GCC's top 19 banks would suffer an average 7.5 per cent fall in net income and a 0.6 per cent decline in equity (based on figures from the end of 2021) under a high-severity cyber incident. The banks' average operational risk capital charge was 3.6 per cent of the total equity.
“Data suggests that GCC banks appear to have sufficient operational risk capital to cover losses related to cyber risk,” S&P said.
GCC banks have faced sporadic incidents of cyber attacks in the past.
Hackers claimed to gained access to the servers of one bank in the Gulf and leaked personal data of its customers, S&P report said. Documents were subsequently posted to the whistleblower site Cryptome in April 2016. The leak comprised more than 15,000 files, including passwords, personal identification numbers and payment card data.
In October 2018, an attack on Pakistan's banking system resulted in the theft of details relating to more than 19,000 debit cards, including 25 cards issued by a Bahraini bank with operations in Pakistan.
In February 2013, a bank in Oman said that 12 of its credit cards were compromised in an alleged hack originating from outside the sultanate.