Structured finance securitizations generally have had limited direct exposure to cyberattacks, however operations risks remain, and increased understanding of issuer preparedness is key. Sept. 08, 2021
This report does not constitute a rating action.
Matthew S MitchellParismatthew.mitchell@spglobal.com
Cyberattacks are becoming more and more sophisticated, and structured finance transactions are not immune. At S&P Global Ratings, we have seen more credit-relevant cyber events in the last six months than in the previous six years, including the first structured finance transaction reporting an operational disruption following a ransomware attack on the originator and servicer (see “Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity,” published July 14, 2021).
We routinely reflect on recent cyber developments to sharpen our focus and to help us refine our forward-looking credit views. We explore several hypothetical cyber event scenarios to identify areas of potential risk, and consider how structural features common in securitizations may help issuers respond to, and recover from, a material cyber event.
We have seen more credit-relevant cyber events in the last six months than in the previous six years
Overall, we believe transaction structures are relatively well prepared to respond to a cyber event, and have not taken any rating actions directly attributed to a cyberattack to date. However, failure of the issuer to remedy exposure to a cyber event in a timely manner could lead to negative rating action.
Being established as special-purpose-entities (SPE), structured finance issuers typically do not have any IT infrastructure, external network footprints, or employees who may present network vulnerabilities for hackers to exploit. We therefore believe it is unlikely that they would be directly exposed to a cyberattack. However, an SPE’s reliance on third parties to perform daily activities, such as collecting on the assets and arranging payments to creditors, introduces potential cyber vulnerabilities.
For the key transaction parties in a simplified securitization structure, shown below, we have identified some hypothetical scenarios where, in our view, the relationship between the issuer and the transaction party could expose a transaction to cyber risk. These scenarios are not intended to be exhaustive, but may help gauge the level of preparedness of securitizations to manage potential cyber events based on existing structural features.
The ability to make timely debt service payments on securitizations is generally dependent on the timely collection of payments from the underlying assets, the remittance of those collections to the issuer, and the disbursement to the issuer’s creditors. Transaction structures typically contain numerous features that are designed to mitigate any disruption that may occur in this flow of funds, including from a potential cyber event.
Special-purpose entity
Being established as bankruptcy remote SPEs, securitization issuers generally do not have any IT network that hackers would be able to exploit.
Liquidity reserves
Transactions may contain cash reserves, lines of credit, or other liquidity facilities, which could be used to ensure timely interest payments are made on the notes, if there is a disruption in collections from obligors or delay in transferring these amounts to the issuer’s account. This may prevent an event of default from occurring, until collections or account sweeps can be restored.
Performance triggers
If underlying borrowers were affected by a cyber event and delinquencies or losses in the collateral pool increased, performance triggers may change the transaction’s priority of payments. For example, a pro rata payment structure may switch to sequential if certain triggers are breached, or a revolving transaction may begin to amortize, which would be expected to increase the credit enhancement for the senior notes.
Replacement of transaction parties
Transaction documents contemplate the replacement of transaction parties if they are unable to perform their roles. For parties who perform an administrative function, we believe that disruptions could be remedied without material delay, given the relative ease with which they can be replaced.
Minimum required credit ratings on financial counterparties
Financial counterparties in transactions, such as bank account providers or derivative counterparties, typically have minimum required credit ratings to remain eligible. When assessing the credit quality of these entities, we consider their governance frameworks and operational risk exposure, and where warranted their cyber risk approach. There are typically replacement commitments in place for counterparties who fail to maintain the minimum required credit ratings, or other remedies such as the counterparty posting collateral with a third party.
Back-up servicer
A back-up servicer may be appointed if the initial servicer is unable to perform its role. The operational readiness of the back-up servicer, such as hot, warm, or cold, may affect the timeliness of the servicing transition and period required to resume collections.
Data trustee
A data trustee may hold encrypted borrower data, which could be used by the servicer, back-up, or other transaction parties if the servicer’s systems or electronic records were not available.
Cash manager
If the servicer is unable to determine the allocations of the available distribution amounts, an independent cash manager may use prior reports as a proxy to ensure timely interest payments are continued until the reporting is restored.
Direct debit collections
In our view, if there are disruptions at the servicer or collection account bank, it would be operationally easier to implement a change in payment instructions for obligors who pay by direct debit than for borrowers who select the account where payments are made to.
Indemnities
The servicer may remain liable for remitting to the issuer amounts deposited in the collection account that may be lost or inaccessible if the account provider is affected by a cyber event.
Sweeping frequency
A shorter sweeping frequency from the servicer’s account to the issuer account may reduce the exposure to cyber events at the servicer and collection account provider by limiting the amounts on deposit.
Payment frequency
Transactions with longer periods between interest payment dates may have embedded liquidity as there may be more time following a cyber event to resolve issues before payments come due. Meanwhile, transactions with short legal maturity dates, such as asset-backed commercial paper, may be more vulnerable to default if there is a payment disruption.
The first line of defense against a potential payment disruption in a transaction, including those from a cyber event, is the effectiveness of the transaction party in limiting exposure to the risk and managing any disruption if the risk materializes. As a second line of defense, the presence of structural mitigants could remedy a payment disruption and ensure timely payments are maintained on the rated notes.
Performance key transaction parties. In our view, the servicer typically poses the largest potential for payment disruption in a securitization from a cyberattack. This is because the performance of the receivables, which are the primary source of cash flow to repay the rated notes, could be directly affected by a cyber event at the servicer. We believe the risk would be magnified for some asset classes that depend heavily on active, highly specialized servicers, (e.g., re-leasing, repossession, maintenance and/or remarketing services), or in sectors with a close linkage to an operating company (e.g., whole business securitizations). As part of our operational risk analysis, we may assess the disruption risk of key transaction parties, including a review of the senior management team, company track record, experience, and internal controls, with cyber risk being one of several factors that could influence our risk assessment (see “Global Framework For Assessing Operational Risk In Structured Finance Transactions,” published Oct. 9, 2014).
The following questions may provide insight into an entity’s relative state of cyber risk preparedness. Although it is not intended to be a checklist or to apply to every situation, it can provide a general example of what we might ask when speaking with transaction parties. We could request additional information or look for further policies and practices as the situation warrants, while in other cases it may be viewed as less relevant for our credit rating analysis.
Who oversees the information security program (e.g., is there a chief information security officer)?
What steps have been taken to identify and protect assets and data from cyberattacks?
What policies and practices have been implemented to enable the detection of, response to, and recovery from a cyberattack?
What was the response to material physical or cyber security breaches that have occurred?
In accordance with our criteria, where we believe operational risk could lead to credit instability and/or a ratings impact, we may limit the securitization's maximum potential rating.
Administrative key transaction parties. For administrative key transaction parties, such as the trustee, calculation agent, and paying agent, their roles are usually limited to executing certain instructions in the transaction documents. The skills required to perform these responsibilities are commoditized, making replacement relatively easier. Furthermore, administrative transaction parties are typically highly rated, regulated financial institutions, or subsidiaries thereof, and have robust risk management frameworks including a formal cybersecurity protection plan with regular stress testing. As a result, consistent with our criteria for analyzing operational risk, administrative key transaction parties usually do not constrain a transaction's maximum potential rating unless we have reason to believe that their track record is not satisfactory and their future performance could have an adverse impact on the rated notes.
If a detected cyber event is likely to affect rated transactions, we would conduct a case-by-case review to determine if a rating action is warranted. We would typically consider the nature of the attack: how direct is the exposure, including the scope and size of the event, how likely it is to have a knock-on effect on the rated notes, and within what timeframe; and the terms and conditions of the notes. If there is a payment shortfall on the rated notes, we would consider any stated grace periods and the likelihood that the disruption could be remedied in a timely manner in determining whether a rating action is warranted.
For example, a severe ransomware attack that results in an immediate payment shortfall on the rated securities and is expected to persist for a prolonged time may warrant a rating action. Meanwhile, a data breach that could potentially result in future losses if the affected transaction party defaults, and if other structural mitigants prove ineffective, may not have an immediate impact on our credit ratings.
In our view, timely management of a cyber event is key to preserving the credit quality of a transaction. Depending on the nature of a cyber event, it may create either a temporary liquidity risk, or result in increased credit risk if the issuer suffers losses. We believe that, in most cases, liquidity risks would be the more likely outcome. As a result, in our view, securitization structures are generally well prepared to manage cyberattacks given the structural mitigants outlined above. However, if structural features do not prove effective in managing the fallout from a cyberattack, for example due to a prolonged period of disruption that depletes liquidity reserves available to an issuer, the potential ratings impact could be more pronounced than for non-special-purpose issuers. This is because SPEs have limited resources to make timely payments to their creditors, so any disruption in cash flows could be more severe than for other entities who have alternative sources of liquidity.
Timely management of a cyber event is key to preserving the credit quality of a transaction
