- Cyberattacks, like any event risk, can pressure liquidity and operational balance, and can further create contingent liabilities for U.S. public finance (USPF) issuers.
- Social engineering attacks, which consist mainly of phishing and pretexting, attempt to trick users into helping attackers evade security controls, which can open the door for them to carry out ransomware infections, invoice fraud, and other attacks that can cost substantial amounts of money.
- Wider availability of more complex exploit kits (malicious software kits) increases the likelihood of breaches, necessitating better issuer preparedness.
- As threats evolve, so do prevention efforts, including a growing trend of state-level support for improving local government cyber defenses.
Preventive Measures Are Key To Fighting Cyberattacks
Many cyberattacks are simply fraud carried out through a new medium. The difficulty facing U.S. public finance (USPF) issuers is the sheer volume of attacks and the number of targeted employees, increasing exposure to social engineering attacks. This makes it difficult to prevent every attempt, although there are ways to increase preparedness.
We look for issuers to take steps to mitigate their exposure to cyberattacks. Examples of adequate prevention measures include:
- Email filters or controls that notify users of external senders
- Firewalls and proper technology asset management, including making critical technology updates as needed
- Practicing good cyber hygiene, including security patch management
- Data backups to allow for recovery following an attack
- Employee training on how to identify and report potential cyberattacks
- Process controls for vendor management and payments
- Creation and testing of incident response plans
- Insurance coverage for cyberattacks
Given the range of technology support staff available at USPF issuers, the level of preparedness varies. Furthermore, when budgets are tight, funding for preventive measures may be deprioritized for more urgent concerns. However, for those that lack adequate preventive measures, the likelihood of a cyberattack increases. Once an attack happens, the level of preparedness and ability to respond dictate whether it could lead to a rating action.
Specifically, we look to an issuer's cash position and reserve levels to determine if the attack is likely to affect its creditworthiness. To date, there have been many breaches, but only one resulted in a rating change. The scale of the breach compared to the issuer's financial ability to absorb the negative impact generally determines if there will be a rating action. If an issuer has a cyber insurance policy, depending on the type of attack, it may be eligible to recoup some of the lost funds. However, insurers may view certain attacks as fraud and therefore funds lost might not be covered by the policy. We have seen this happen to USPF issuers, making proper policies and controls critical to prevent financial losses.
Social Engineering Attacks Come In Many Forms
The 2018 Verizon Data Breach Report indicated that more than 90% of all breaches globally that year began with a social engineering attack. These can be broadly grouped into phishing and pretexting attacks, although there is significant overlap between the two. Phishing is typically defined as a message intended to make the recipient fall for the bait (either by clicking a link or opening an attachment that downloads malware, or entering their credentials into a suspicious site). Phishing include spear phishing (a targeted attack), SMSishing (using text messages rather than email), and vishing (using phone services). Attackers typically use phishing to steal credentials or install malware on a device, giving them a direct connection to the victim's network.
Pretexting creates a false narrative to obtain information or to trick employees into sending funds. This category commonly includes business email compromise and invoice fraud. Pretexting commonly targets finance employees, often purporting to be from a trusted third party and seeking confidential data or direct bank transfers.
Other social engineering techniques include shoulder surfing (reading a password over a user's shoulder), tailgaiting (following a legitimate user into a restricted area), and baiting (leaving malware-infected USB drives). However, these attacks are much less likely to occur.
Attackers aim to use these means of compromising systems to deliver malware (i.e., malicious software like ransomware) through a booby-trapped attachment or link leading to a site hosting the malware. Once opened, the malware will exploit an unpatched vulnerability on the target's system, leading to malware infection. Different strains of malware operate in different ways, making data or systems unusable in a denial of service attack, or holding data and systems to ransom. They can also facilitate data or credential theft, leading to additional attacks in the future.
As the number of attacks grows each year, and their complexity continues to evolve, we will continue to monitor issuer preparedness and the potential credit effects of any attacks.
The graphic below shows the relationship between the delivery of an attack, its intended outcomes, and the consequences issuers could face once compromised.
States Are Stepping Up Efforts To Help Issuers Fight Cyberattacks
Cyber threats continue to evolve, making cybersecurity a constant challenge. Technology is always advancing, and complex attacks have become cheaper and easier to execute. Historically, sophisticated cyberattack techniques were only observed from adversaries such as nation states, but in recent years, the availability of malicious software has increased rapidly. This change, particularly for social engineering attacks, has largely been spurred by the expansion of dark web forums and the sale of phishing kits and malware samples. Unskilled attackers can use these software packages to launch more-and-more sophisticated attacks. Often available for free or at a low cost, the kits commonly have features such as anti-analysis and obfuscation techniques designed to evade security detection and antimalware tools. They also use sophisticated impersonation techniques, false error messages, and are mobile-friendly, making the scams much harder to detect with automated processes and employee-education programs.
We expect this trend will continue, particularly through the evolution of deepfake technology. Deepfakes are a form of synthetic media where an attacker alters a person's voice recording, static image, or video to make it appear they did or said something they did not, which is then used to trick targets into doing the cyberattacker's bidding. Furthermore, continued improvements in techniques used to evade security-detection tools make attacks more difficult to prevent. This increases the risk that attackers could target more issuers--including those with smaller budgets--as the number and frequency of attacks grow.
As threats evolve, so must prevention and response tactics. Indeed, state governments are taking note, creating cyber-response teams to assist local governments and schools. In 2019, 31 states enacted cybersecurity-related legislation, according to National Conference of State Legislatures reports. Although many of these laws related only to reporting breaches, election security, or the state's cyber defenses, many states joined the growing number looking to leverage state or community resources to aid local governments in preventing and responding to attacks. The main ways states aim to assist is through information sharing of both threats and preventive measures, as well as with direct support for incident response and recovery.
States generally do this in one of two ways: through direct state coordination or through coalitions of public, private, and nonprofit entities. Where the state is providing direct support, it is often through the state's National Guard, Homeland Security, or information technology departments, or as part of general emergency services. Examples include Ohio's Cyber Reserve and New Jersey's Cybersecurity & Communications Integration Cell. For states with cyber coalitions, groups of private and nonprofit companies work with state and local governments to improve information sharing and prevention techniques, and to develop innovative approaches to improving cybersecurity. The Arizona Cyber Threat Response Alliance is one of the most established of these community coalitions, providing support for entities in the state and across the nation, but many others exist. Some states, including California, Virginia, and Washington, offer both kinds of support.
In addition to these state efforts, local governments are creating risk pools and cyber insurance funds to provide coverage against losses at lower prices. Counties coordinate with local municipalities to share information and best practices. Federal efforts include the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency, which provides resources for state, local, tribal, and territorial governments, as well as DHS's Cyber Resilience Reviews, offered free of charge to local governments. However, although congressional bills are in various stages, cohesive federal policy and significant financial support of cybersecurity measures for local governments have not yet made it into law.
As with any emerging risk, we expect cyber threats and responses will continue evolving. How issuers prepare for and respond to these changes will determine if there is any impact on their credit quality.
Megan Kaczanowski is a threat intelligence analyst for S&P Global.
This report does not constitute a rating action.
|Primary Credit Analyst:||Tiffany Tribbitt, New York (1) 212-438-8218;|
|Contributor:||Megan Kaczanowski, New York + 1 (212) 438-7956;|
|Secondary Contact:||Geoffrey E Buswick, Boston (1) 617-530-8311;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: email@example.com.