Fitch warns Sovereigns face growing risk from cyberattacks

Sovereigns are being targeted with increasing frequency by cyberattacks, and authorities are devoting more resources to defending against them, with the greatest threats from cyber-capable states and criminal groups sheltered by them, Fitch Ratings says in a new report. Russia’s invasion of Ukraine in February 2022 and the US-led sanctions response have heightened fears of an escalation.

Cyberattacks are event risks that are hard to predict and quantify, and relevant data are far from comprehensive. It is difficult to envisage Fitch taking rating actions on a sovereign ex-ante, based on cyber readiness concerns or risks. But Fitch plans to gather more information on cyber risks as part of its rating activity.

Ranked alongside other sovereign creditworthiness drivers, the risk of a severe cyberattack is a tail risk, a low-probability event but with potentially significant impact. In the event of a cyberattack, Fitch would assess the impact on the economy, public and external finances and other credit variables relative to ratings headroom and financial, operational and reputational impacts, in line with our criteria. Fitch has not so far taken any rating action on a sovereign or non-sovereign issuer as a result of a cyberattack.

Some countries facing geopolitical risks are more likely to suffer cyberattacks emanating from hostile states. But as seen in the case of the 2022 ransomware attack on neutral Costa Rica, they can be targeted anywhere and profit is the most common motive.

The most critical targets from a sovereign credit perspective are a country’s finance ministry and central bank. Potential credit impacts from cyberattacks range from short-term ones, such as disrupting payment systems, tax collection or critical infrastructure, to long-term, structural ones, such as undermining governance. A cyberattack could help to precipitate a debt crisis, in combination with other factors.