In March, the western U.S. power grid was attacked. In April, it was Cleveland Hopkins International Airport. And in May, the city of Baltimore came under siege, with most all its systems forced offline. These cyberattacks on public facilities and governments made headlines across the country, likely due to their size and scope; however, attacks like these take place daily throughout the sector.
By tapping available liquidity and often reverting to nontechnical temporary solutions, to date most entities have managed attacks without it affecting creditworthiness. However, cybercriminals and cyberterrorists are adept at shifting their tactics, looking for avenues they find either easily penetrable or sufficiently lucrative.
The public finance sector needs to remain vigilant in protecting both the individual entities and the sector as a whole, addressing their unique challenges while navigating a patchwork of legal governance. And S&P Global Ratings believes that preparedness is vital to maintaining credit quality. While all our sector-specific criteria allow for analysis of the credit risk presented by cyberattacks, this article focuses on how we analyze the risk for municipal rated entities.
The Unique Cyber Problems Facing Municipal Issuers
Municipalities can be at greater risk of cyberattack simply due to the trends affecting the sector:
- Aging of the workforce;
- A shift to more technological solutions; and
- Improved transparency of municipal operations.
The coming "silver tsunami" in the municipal workforce, and the associated retirements, will present cyber-related risks, because it's easier to keep good IT employees than it is to replace them. Once employees retire, the government must compete for the same employees with local companies. Historically, those companies have been able to offer higher pay, which often means that new hires do not have the same experience as those elsewhere.
These staffing concerns occur at a time when more and more municipalities are turning to technological solutions to help deliver services or assistance. Technology helps reduce costs for municipalities, because for them, revenue-raising options are judiciously used and often contentious politically. Very often, these solutions convert existing systems relying on personnel to deliver services to new programs, practices, or even artificial intelligence. This movement toward digitalization and technology increases cyber risks, and proper planning must be considered during implementation. But how governments work through these issues can increase risk further.
Local governments, by their nature, aim for transparency. This is generally a positive attribute for maintaining the public trust, but it also can give a cyberattacker access to wide-ranging information, particularly during acquisition and request for proposal processes. If issuers do not consider that information through a cybersecurity lens, more risk than the government anticipated could follow.
How Cyber Security Affects Creditworthiness
Given the unique risks facing municipal issuers, their ability to integrate cyber security into various aspect of governance becomes critical to overall creditworthiness. Throughout capital markets, assessing the credit impact of environmental, social, and governance (ESG) factors has increased in importance. S&P Global Ratings integrates cybersecurity into its municipal ratings through its management assessment as one of its governance assessment factors (see table). Given that risk culture and mitigation are important parts of the governance of municipal issuers, we view an issuer's ability to prevent, respond, and recover from a cyberattack similarly to other event-based risks such as weather-related incidents.
|Cyber Governance Credit Considerations|
|Infrastructure and staff investments||Liquidity||Contingent liabilities|
|Employee training||Accountability||Constituent trust|
As with any event-related risk, prevention is critical to limit and mitigate the impacts of cyberattacks. Adequate prevention can aid in response and recovery, while inadequate prevention can actually exacerbate the effects of an attack.
Risk assessments. Basic prevention measures for local governments include comprehensive risk assessments and employee training. Risk assessments help local governments identify where systems may be vulnerable and what infrastructure investments are necessary to limit exposure to attacks. These could include security software, upgraded servers, and dedicated IT security specialists.
Infrastructure and staff investments. Outdated systems are more vulnerable to attack. Therefore, maintenance and upkeep, including frequent backing up of critical data, need to be a part of any local governments' maintenance plans.
Employee training. Given that human error, such as by clicking a phishing email or otherwise providing accidental network access, leads to a significant number of cyberattacks, comprehensive employee training is vital to limiting the risk. Training should also include scenario planning, so that employees know what steps to take in the event of an attack, if a ransom should or could be paid, and how to isolate a threat or restore a network. These investments can increase capital spending through debt issuance or cash outlays, potentially weakening budgetary performance or debt profiles. However, when managed properly and incorporated into recurring expenditures, they are unlikely to weaken an issuer's overall credit profile. Taken together, investments in human and physical capital, reduce a government's exposure to attacks and improve its ability to respond when the inevitable happens.
Governments are unique in the variety of issues they face when responding to a cyberattack. They must continue to provide essential services while maintaining public confidence in their ability to operate.
Transparency. For local governments, transparency and communication during a cyberattack are critical. Citizens expect government services to function. If public safety, water works, public power, or other essential services are disrupted due an event, people need to know what to expect.
Liquidity. The speed and ability of a government to respond is often directly correlated with its liquidity and reserve position, as well as its preparation beforehand. While insurance could reimburse these expenses, a government must be able to front the costs of responding to an attack. These costs could include bringing in consultants to help manage the response and recovery, costs associated with restoring or recreating data backups and networks, or temporary networks or services to maintain operations during a shutdown.
Accountability. Through it all, governments must remain accountable to constituents, ensuring the integrity of sensitive identification information and operations. Transparency during a response improves a government's accountability. Clear communication about the status of services and reassurance about continuity of public safety and other essential services can calm citizens during an attack. Maintaining citizen trust during and following an attack, while important for any organization, is uniquely challenging for local governments given the necessity of support to fund and run government operations.
Following an attack, local governments' creditworthiness can suffer in the near term, due to the direct costs of an attack; and in the long term, particularly if constituent support weakens.
Costs and contingent liabilities. The first concern is the materiality of the event and its effects on the government's finances. S&P Global Ratings will calculate the costs of an attack and immediate response as a percentage of a government's budget and reserves to determine the relative financial impact. Then, depending on the nature of the attack, S&P Global Ratings will consider contingent liabilities that could result from an event, including legal challenges due to data breaches. During the recovery efforts, the varying degrees of disclosure also introduces uncertainty in the municipal market, because contingent liabilities from undisclosed data breaches could create credit pressure.
Constituent trust. The loss of trust is one of the greatest long-term risks local governments face when planning for and responding to event risks. Without voter support, governments might struggle to raise funds necessary to support balanced operations. If governments cannot protect citizens' data, support for technology provision of services will fall. This could increase operational costs for governments, which could also feel the effects at the ballot box, with elected officials being held accountable for digital security.
Much of the information S&P Global Ratings will use in analyzing an event comes from conversations with management teams in the aftermath of an attack, in part because of the lack of standardized disclosure of cyberattacks. In addition to discussing the direct costs, analysts will ask about management's plans to recoup post-attack spending and any plans to improve prevention. Despite a growing number of attacks, to date, S&P Global Ratings has not downgraded any issuers as a direct result of a cyberattack, although other ESG factors have led to rating actions (for more information, see "When U.S. Public Finance Ratings Change, ESG Factors Are Often The Reason," published March 28, 2019, on RatingsDirect). However, we continue to monitor long-term repercussions cyberattacks may have on issuers' creditworthiness.
Notification Laws Related To Cybersecurity--And The Lack Thereof At Times
Further complicating matters for municipalities is the complex mix of legal governance for cyber issues that they must navigate as they prepare for, respond to, and recover from cyberattacks.
Typically, municipalities must comply with criminal laws and disclosure requirements. Cybersecurity and privacy risks are deeply intertwined, meaning data breaches are some of the most regulated types of cyberattacks in terms of responses. This poses problems for municipalities.
- Lack of transparency regarding attacks erodes trust between a local government and its citizens when news of attacks inevitably comes out.
- Lack of a uniform obligation to disclose a breach or attack--even if thwarted--obscures the frequency and scope of attacks, limiting the sector's ability to coordinate responses and leverage best practices.
- Lack of inter-governmental support. When a cyberattack succeeds, sharing what occurred allows others in the municipal market to better prepare. For U.S. public finance issuers, a cyber-resilient future likely needs to include the concept of herd immunity--one victim in the community can get sick, but if everyone else takes preventative measures, the threat is contained.
Other legal factors for governments to consider when creating a cyber-preparedness plan or responding to an attack include the following:
- Governments have no consistent legal obligation to disclose a breach or an attack, which further obscures how often the attacks happen, and what governments do in response. All 50 states have consumer breach notification laws; however, only two--Connecticut and New Jersey--require a breach notice upon unauthorized access alone, as opposed to unauthorized data acquisition.
- Not all municipalities can legally pay a ransom, given its criminal nature. While it remains largely legal to pay ransoms under U.S. law (since the illegal act is to demand a ransom), to who the ransom would be paid matters. To date, there is no legislation governing cyber-specific payments.
- Continuing disclosure requirements obligate issuers of debt to update the bondholders and the market of material events that could affect credit. Therefore, governance surrounding a cyberattack needs to aim for both internal and external transparency while focusing on laws and practices applicable to commerce, information, criminal activity, and debt disclosure, among other topics.
At the federal level, any internet-connected device is covered by the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030), since the internet facilitates interstate commerce as defined under the Commerce Clause of the U.S. Constitution. Phishing, distributed denial of service (DDoS) attacks, ransomware, and similar malware are federal crimes. All 50 states have computer crime laws, and approximately half have laws that address DDoS attacks; however, only five--California, Connecticut, Michigan, Texas, and Wyoming--have laws that specifically address ransomware and cyber-extortion. Fewer still have laws that address both (see map). States that lack ransomware legislation might only have laws that refer to more traditional forms of ransom, which could likely apply to ransomware, but might still be subject to loopholes that would make prosecution more difficult.
What Will Matter To Credit Quality Down The Road
Cyberattacks are likely only to increase--in both frequency and severity. We believe that those municipalities that take comprehensive actions to mitigate the risk will see less credit quality deterioration following any attack. While governments with proper planning and adequate liquidity positions will have the best chance of weathering the risk, local governments that have more limited resources to tackle the issue face the biggest risk to their creditworthiness.
Through The ESG Lens: How Environmental, Social, And Governance Factors Are Incorporated Into U.S. Public Finance Ratings, Oct. 10, 2018
This report does not constitute a rating action.
|Primary Credit Analysts:||Geoffrey E Buswick, Boston (1) 617-530-8311;|
|Tiffany Tribbitt, New York (1) 212-438-8218;|
|Secondary Contact:||Sabrina J Rivers, New York + 1 (212) 438 1437;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: firstname.lastname@example.org.