The increasing frequency of cyberattacks is prompting banks to quietly integrate cybersecurity maturity into credit risk assessments for businesses, a trend gaining momentum as financial institutions seek to protect themselves from potential loan defaults linked to cyber incidents.
“Banks are getting into this slowly,” says Luc Declerck, CEO of Board of Cyber, a cybersecurity rating firm. Some institutions are now seeking assurance that loans are extended to organizations capable of withstanding cyberattacks, recognizing that a successful breach can jeopardize a borrower’s ability to repay. “When an organization is hit by a cyber incident, the risk is non-repayment or only partial repayment of a loan, because this incident can have a significant financial impact,” Declerck explained. Ransomware attacks or production slowdowns resulting from cyber intrusions can even lead to company liquidation, leaving creditors unable to recover their funds. Board of Cyber currently provides its cyber rating solution to Crédit Lyonnais, aiming to ensure the bank’s lending portfolio consists of organizations with robust cybersecurity postures.
While many banks remain hesitant to formally incorporate cybersecurity maturity into lending decisions, fearing a loss of clients, those that are doing so generally prefer to operate discreetly. Several banks contacted by Journal du Net declined to publicly discuss their approach. “In general, when a client wants a loan, they consult several banks. And they will refuse to go to a bank likely to hinder their application due to a poor cyber posture. The bank using such a criterion therefore risks alienating a portion of the market,” Declerck noted. Though, Pouya Canet, director of cyber insurance strategy at Citalid, a cybersecurity maturity assessment company, believes “some players prefer to opt for a forward-looking logic.”
Citalid recently secured a contract with a bank in late 2024, with the client stating a growing need to consider cyber risk in lending decisions alongside environmental, social and governance (ESG) criteria. “We are in discussion with other banking players and we are seeing a real interest on their part,” said Maxime Cartan, co-founder of Citalid. Financial rating agencies are also beginning to explore how to integrate cyber risk into their assessments of financial products like loans, signaling a broader industry shift.
New cybersecurity regulations, such as the NIS2 Directive, are also driving banks to consider cybersecurity as a lending criterion, according to Declerck. “The regulations like NIS 2, the government and many actors are working to strengthen the cyber posture of small and medium-sized enterprises and medium-sized enterprises. Cybersecurity is now a business issue for organizations, an issue that bankers are surfing on. This cyber criterion will be a natural criterion in the future. For bankers, this criterion will appear legitimate because We see increasingly demanded by the market, by the ecosystem.” Some banks are anticipating further regulatory requirements, proactively integrating the criterion into their processes, Cartan added.
Currently, banks that incorporate cybersecurity maturity assessments primarily use them as recommendations rather than strict requirements. “For the time being, this criterion is above all a recommendation which should encourage the client requesting a loan to evolve their cybersecurity if necessary. By evaluating their cyber maturity, the bank provides a cyber diagnosis to its client so that the latter takes into account its vulnerabilities and makes sure to reduce them, if necessary, to obtain the loan,” Declerck explained. Canet echoed this sentiment, stating that the criterion is “not intended to be punitive,” but rather a preventative measure to raise awareness among businesses about cyber risks.
The assessment process is tailored to each client’s specific circumstances. “The logic of banks is not to demand that all organizations be extremely robust in cybersecurity. They have a risk-based approach. For example, they will not ask a small company in a non-sensitive sector to have the cyber level of a large group. When the risk is low, few cyber investments are requested by the bank. These are not complex and unique criteria: banks know how to adapt them to reality,” Cartan said. Some clients, particularly large organizations with demonstrably strong cybersecurity practices like Danone or L’Oréal, may be exempt from the full diagnostic process.
Banks typically assess cybersecurity maturity through questionnaires and automated assessment tools like those offered by Citalid and Board of Cyber. “The security questionnaire asks a whole bunch of classic questions that are found in insurance questionnaires. These questions aim to ensure the presence of multi-factor authentication, a well-managed access rights, etc. It’s declarative and our cyber rating solution allows the bank to verify that what has been declared is true and visible,” Declerck concluded.