International public finance entities have become more vulnerable to cyber attacks due to their increased digitization and role as a provider of critical infrastructure. Entities with weak cyber security infrastructure could face greater impact on their daily operations, finances, and reputation. July 19, 2022
This report does not constitute a rating action.
Michelle KefersteinFrankfurtmichelle.keferstein@spglobal.com
IPF entities' exposure to cyber risks, and the frequency with which they have suffered attacks, has increased significantly since the pandemic, driven by increased digitalization of internal systems for remote working and growth in online services.
The size of the overhaul was magnified by the public sector's relative lack of IT investment before 2020, particularly compared with the corporate sector. That meant digitalization required substantial new investment, yet IPF entities--which include non-U.S. local and regional governments (LRGs), social housing providers, educational services, and infrastructure entities--often received little funding from central governments to establish or enhance their cyber security systems. We believe this has left the sector with generally weak cyber security infrastructure. That, coupled with its increased digital presence and access to often sensitive information, makes it a prime target for hackers, and leaves IPF entities especially vulnerable to financial and reputational damage from cyber crime.
The list of incidents is growing. In May 2022, the Austrian state of Carinthia was targeted with "Black Cat" ransomware, resulting in the theft of sensitive information and a massive outage of government services. In June 2022, the IT systems of utility providers, transportation companies, and housing associations in the German cities of Frankfurt, Mainz, and Darmstadt were damaged by an attack. And in the same month, the U.K.'s largest social housing provider, Clarion Housing Association, fell victim to hackers that disrupted email servers and internal IT systems.
A successful cyber attack can have both immediate and long-term effects on an IPF entity's operations and credit quality. In the immediate aftermath of an attack operations may be disrupted, while revenues from electronic services could decline or cease--with consequences for the entity’s financial position.
Over the longer term, we consider the most significant risk to be reputational damage, particularly as many entities store sensitive information, including addresses, bank accounts, and tax data. A breach involving that data could also expose an issuer to regulation and litigation costs, possibly resulting in long-term liquidity issues and increased debt.
An entity that fails to respond to, or recover from, a cyber attack could further suffer reduced access to lenders or debt markets. We consider this a significant risk, particularly for entities with small operating balances, low liquidity levels, and already limited access to capital markets. We do not consider the risk that an attack could hinder timely and full payment of debts to be significant as it would require third-party systems at clearing houses and banks to be affected.
Over the longer term, we consider the most significant risk to be reputational damage
We believe that embedding cyber risk management in a public entity's wider risk assessment is key to reducing the risk of a successful cyber attack and to minimizing damage should such an attack happen. We assess an IPF issuer’s cyber preparedness based on principles similar to those set out in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and by the International Organization for Standardization (ISO 27001), and the Center for Internet Security (CIS).
Prepare: We expect public sector entities to have deep knowledge of their IT and business environments, understand the resources required to support critical functions, and the cyber risks they face. This includes an assessment of physical and digital assets, and notably sensitive data that may have special legal protection--such as social security numbers. We anticipate a public sector entity will have in place a cybersecurity strategy that is part of a broader risk management framework, which identifies and tracks cyber threats, addresses key risks, and constantly monitors and tests security systems. We also seek to understand the extent to which an entity protects critical information using safeguards such as firewalls, access control management, and staff training.
Respond: We expect a public sector entity to have a detailed incident response plan that is tested frequently and which includes a communication strategy. Security systems that are capable of quickly detecting and responding to a cyber incident are preferable as they help limit the damage and cost of an attack. Systems should also be subject to constant monitoring and improvement. In the event of an attack, an issuer should be able to isolate affected systems, while maintaining essential daily operations. Our analysis also considers an issuer’s ability to maintain timely debt service payments.
Recover: A public sector entity's resilience planning should be regularly tested, revised, and optimized. We expect this will include the ability to restore data affected by an attack, to reconfigure damaged systems so they can be used, and the means to regain access to compromised systems. We consider communication with stakeholders to also be a key element of a recovery system.
We view cyber readiness as part of an LRG's financial management responsibilities and expect management teams to include cyber risk in their wider risk assessment and planning. This includes establishing a cyber security strategy, building the required infrastructure, and monitoring cyber defenses and resilience.
Cyber risk preparedness is thus part of our assessment of an entity's financial management, alongside other factors such as political and managerial strength, financial planning, liquidity, debt, and contingent liabilities management.
An LRG's credit quality can be both immediately damaged by a cyber attack and suffer longer term damage from the necessity for increased IT investment and an increase in insurance premiums. Any of these could result in a greater debt burden and weaker liquidity and, dependent on the overall impact, lead us to reassess our view of a company's credit quality, in line with our criteria.
An attack could disrupt liquidity and revenue streams if an LRG is unable to accept payments or deliver services, and result in financial losses both directly and indirectly, due to recovery, regulatory, and litigation costs. We thus consider the LRG's liquidity, and its ability to access liquid assets, as important factors in our resilience assessment, particularly considering that an issuer may find it difficult to quickly raise new debt following an attack.
We recognize that a cyber attack could affect an LRG’s ability to service its debts on time and in full, which could lead to a (technical) default, though we consider this scenario unlikely--given that an attack would need to disrupt both the LRG and external service providers, such as clearing houses and banks.
Some LRGs are notably exposed to government-related entities (GREs) due to their reliance on transportation and utility services provided by the latter. Outages in these services, due to a cyber incident, can feed through as a cost to an LRG, which may need to support its GRE. This could weigh on the GRE's budget, and result in the LRG's contingent liabilities increasing over the medium-term.
We assess cyber risk at public and non-profit social housing providers using similar criteria to that of other public sector enterprises. Our assessment of housing providers' management and governance is informed by the issuer's cyber risk preparedness, which can lead us to revise an issuer's management score. We consider that management of social housing groups' should have a comprehensive cyber strategy, including monitoring for breaches and system weaknesses. Given housing providers' high public profile, we also consider a comprehensive communication plan to be a crucial element of their cyber preparations.
The competitive nature of the housing sector means that entities are more exposed than other LRGs to the risk of losing market share following a cyber incident. We also believe that housing providers are more exposed than other LRGs to reputational damage from a cyber attack given the potential for financing conditions to deteriorate due to a loss of investor trust. That could prove a substantial post cyber incident cost, in addition to spending related to restructuring, IT services, litigation, and fines.
We understand that most public sector entities use their own balance sheets to fund IT infrastructure, and other cyber-related investments, and in most cases don’t receive additional support from central governments (or other state owners). This provides limited leeway for LRGs to significantly increase IT-related investment. Nonetheless, we expect an increase in cyber security spending, notably considering the increased cyber threat due to the Russia-Ukraine conflict (see "Cyber Threat Grows As Russia-Ukraine Conflict Persists," published May 11, 2021).
We believe central governments will increase cyber-related investment in the public sector, and governments have already announced new, or greater, spending on cyber security, which will feed through to LRGs and other public entities.
We consider this an important and positive development, especially given increased demand for digitalization due to home working. We will continue to monitor public sector spending on cyber security to see how it translates into cyber preparedness for our rated entities.
Our experience is that IPF entities operating in supportive environments usually outperform national averages in terms of cyber security. For this to be the case, though, countries typically need a legal framework for dealing with cybercrime, computer emergency response teams (known as CERTs), a national cybersecurity strategy, and working groups whose role is to enhance cyber security--all of which take time to establish and become fully functional. Also, the cyber preparedness of entities within a single country often differs and is unlikely to change without major state investment.
We believe that disruption from cyber attacks could slow digitalization of the public sector, compared with the private sector, where competitive pressures encourage investment in online services and automation. At the same time, relatively simple measures, including staff training, can improve cyber security, helping public sector entities to minimize the cost and disruption of a cyber attack--85% of data breaches are the result of human error, according to the "Data Breach Investigations Report," by telecommunications company Verizon.
Cyber insurance can mitigate cyber attack risk, though we recognize issues relating to increasing premiums and the scope of coverage are problematic for public sector issuers.
Moreover, insurance providers often conduct technical reviews before accepting clients. Meeting the requirements for insurance, such as multi-factor-authentication, encryption, and intrusion assessments, can increase insurance costs further--though some entities consider the evaluations provide a means to test their systems. The challenges of those technical tests and the high premiums for cyber insurance means many rated entities have no, or insufficient, cover.
We have watched with interest the emergence of alternatives to traditional insurance. For example, some municipalities in Canada and U.K. councils have flagged plans to establish cyber-related funds to provide liquidity access in the event of a cyber attack. Britain's Gloucester City Council received £250,000 ($298,626) from the Government and Local Government Association following a malware attack in December 2021, and it created a reserve of £380,000 to help pay for the longer-term costs of the attack. We expect other entities will build liquidity reserves as part of their cyber preparation planning.
Cyber insurance can mitigate cyber attack risk, though we recognize issues relating to increasing premiums and the scope of coverage are problematic for public sector issuers
