As part of their latest Reserve Bank solvency stress test, New Zealand banks were asked to take into account a cyberattack for the first time. Despite a severe stagflation-like scenario, the Reserve Bank says most firms would have to raise capital, restrict dividends and cut expenses to be able to keep functioning, even though they will have to raise fresh capital, limit dividends, and cut expenses to do so.
During the stagflation scenario considered in the model, high inflation, increasing interest rates, and a severe recession resulting in a surging unemployment rate are some of the features modeled. Since 2014, it has been the first time a reserve bank has conducted a stress test in which high-interest rates were present.
Banks included in the annual stress test were ANZ NZ, ASB, BNZ, Westpac NZ, Kiwibank, Heartland Bank, TSB, ICBC, and Bank of China. They received instructions from the Reserve Bank in April.
6% was the Consumer Price Index inflation rate for the NZ economy. According to Statistics NZ, this was below the 7.2% reported in the current year, as well as the 6.9% reported by Statistics NZ in May for March.
As part of the arrangement, the Reserve Bank also had to increase the Official Cash Rate (OCR) from just 1% – the rate it had at that time – to 3% by the year 2022. Currently, the OCR stands at 3.5%. It is expected to increase to at least 4% on November 23, 2022. This is when it will be reviewed for the last time of the year. A significant part of this scenario includes the sale of the NZ dollar. This has been an element of inflation that has been imported, and which has been occurring this year as well.
The Reserve Bank will incorporate a specific cyber risk event into the stress test that will be administered to participating banks in 2022 for the first time. Over time, this resulted in 1.3 billion dollars in aggregate costs.
In addition to considering how a cyberattack would impact the banks' business, this year's solvency stress test also asked banks to consider how low the likelihood of such an attack was. This is in response to a one-in-25-year cyber risk event that may threaten the general banking system.
To tackle this challenge, banks have come up with several strategies, such as modeling the impacts of different scenarios. These include distributed denial of service attacks, attacks that lock banks out of critical infrastructure, kill chain malware, ransomware, and other threats. These attacks are modeled to last for at least one to two months in the event of a significant attack.
It can be assumed, therefore, that the estimated losses resulting from each event will vary as expected. This is based on the benchmark and the operational risk of the bank at the time. There is an assortment of reasons why companies lose money, including reimbursements from customers, consultancy and legal fees, losses in business, technology upgrades, communications and media expenses, and technology upgrades, according to the Reserve Bank of Australia.
Banks should be aware that multiple risks can crystallize and need to be managed during economic downturns, the Reserve Banks emphasize. The Reserve Bank also shared, "this is even though the aggregate cost of the cyber risk event was small compared with impairment expenses in this stress test. Our understanding of banks' handling and quantification of cyber-risk stress events was enhanced by the exercise."
There is one thing in your life that you have no control over:
Last week, in an interview with interest.co.NZ, ANZ NZ CEO Antonia Watson told the website that attackers strive "all the time" to penetrate the bank's security system.
According to Watson, "This is one of the things you cannot do anything about since there will always be someone who will find some way of finding a backdoor."
Cyberattacks can happen to organizations of all sizes, which is why it plays a crucial role in our risk management strategy as a business. Because of that, it is one of the key risks that we see as a business. This is why we invest so much money to help educate our customers regarding these types of attacks.
National Australia Bank's Ross McEwan, the CEO of the bank's parent company BNZ, revealed last week that NAB's digital channels receive approximately 50 million attacks every month. He further notes that this incident along with the recent cyber-attack on Optus in Australia is what keeps CEOs awake at night.
The scenario
During the NZ economy's stress test scenario, the following scenarios will be experienced:
• In comparison to the peak in November 2021, house prices have fallen by 42% (47% from its peak in November 2021)
• A 38% decline in equity prices has been recorded since December 2021 (42% in the past year).
• At the same time, the unemployment rate rose from 3.3% to 9.3%.
• During the period of the recession, the gross domestic product decreased by 5%.
• A peak in the OCR has been recorded at 5.5%, as well as the peak in the 2-year mortgage rate of 8.4% (the average bank's 2-year rate at the moment is 5.8%, but the big five banks all have rates above 6%);
• There is one more aspect of the economic scenario that banks must take into account and model as well, which is a cyber-risk event that occurs once every 25 years.
A scenario like this has the potential to generate aggregate impairment expenses for banks of $20.8 billion over the next four years, which is higher than the $1.7 billion that has been incurred from the COVID-19 pandemic in the last four years, according to the Reserve Bank. During the second year of the four-year stress test, banks have been sinking into the red.
During the stress test, the common equity Tier 1 ratio for the aggregate company fell by 3.3 percentage points to a minimum of 8.9% before mitigation. This is well above the regulatory minimum of 4.5% as shown in Figure 1 [below].
According to the Reserve Bank of Australia's report on its 2022 stress testing program, this annual solvency stress test was included in the Reserve Bank's stress testing program for the year 2022. Additionally, a liquidity stress test and a test to determine whether the residential mortgage portfolio is sensitive to flooding risks were also included in the study. As part of the Reserve Bank's Financial Stability Report released on Wednesday, the Reserve Bank will present a summary of the "high-level results" in these two areas.
In its description of the stress test on solvency, the Reserve Bank thinks that it is predominantly a bottom-up exercise, where banks normally use their models, sometimes on a loan-by-loan basis, to estimate the impact of the Reserve Bank's specified scenario on capital ratios in the future.
During the release of the instructions and templates for the solvency stress test, the company noted that it is the first time that these have been published publicly.
