As cyberattacks increase in sophistication and frequency, U.S. public finance (USPF) issuers must embed cybersecurity into their comprehensive risk-mitigation strategies. We consider risk management and mitigation a governance factor under environmental, social, and governance (ESG). We believe most municipal issuers' preparedness will support credit fundamentals and prevent significant financial or reputational fallout that could result from an attack. In our view, all USPF issuers should be taking steps to mitigate their exposure to event risk stemming from a cyberattack. An inability to fully restore operations in a timely manner after a cyberattack could lead to rating pressure. USPF issuers experienced cyberattacks before the COVID-19 pandemic, and we have been analyzing potential credit impacts for more than half a decade (see Related Research below). Our analysis of an issuer's strategy to prepare for, respond to, and recover from an attack uses the National Institute of Standards and Technology (NIST) standards as a benchmark for a sound plan, as it has since cyberattacks first emerged as a credit risk several years ago. However, the universe of USPF issuers is broad and diverse and the NIST framework, first established in 2014 and updated regularly, is very detailed and focused on protecting critical infrastructure. Therefore, our analysis of an issuer's preparedness and mitigation practices typically considers the role of the organization as well as the size and scope of its operations since many issuers are not responsible for critical infrastructure elements.
Prepare: Best Practice Is For Issuers To Include Cybersecurity In Risk-Mitigation Plans
We expect all issuers to have a basic knowledge of their physical and digital assets, including personally identifiable data that may have special legal protection. In addition, we believe issuers should understand where vulnerabilities are in their systems. This understanding typically is documented in a device and network inventory and includes implementation processes to mitigate cyber threats. Furthermore, it includes an understanding of risks from vendors and third-party relationships for information technology, accounting, billing, or other purposes. Understanding what could be at risk is the first step in developing an effective mitigation strategy.
In addition, we expect issuers to take basic steps to protect their assets, such as implementing cyber hygiene practices and staff training. Good cyber hygiene practices include but are not limited to firewalls, antivirus software, multifactor identification requirements, security-patch management, phishing exercises, and email filters. Additional policies, including regular access audits and vendor management, should be implemented, as necessary, based on the size and sophistication of the issuer. Given the rise in social engineering fraud, controls around wire transfers and bank payments should also be in place, as necessary. Finally, for large issuers or those more frequently targeted, such as states, utilities, health care facilities, and higher education institutions, we would expect the issuer to have a dedicated chief information or chief information security officer, or to identify the person or department ultimately responsible for securing assets and data.
Respond: Best Practice Is For Issuers To Monitor Their Systems And Plan For How To Respond Before An Attack
The longer cyber criminals have access to a system, the more damage they can inflict. Therefore, the ability to rapidly detect an attack could limit damage. At a minimum, we generally expect that issuers have some type of system monitoring to detect a potential threat. This could include a dedicated employee or team, but could also be electronic. The sophistication of the network or a large number of devices potentially exposed would increase our expectation that the issuer has a more advanced governance framework for cyber response.
We also typically expect issuers to consider what they would do in the event of an attack and have a basic plan for data recovery and systems backup. Regular data backups should be part of this plan. For certain issuers, particularly those that provide critical services, we would expect detailed response plans that include exercises to periodically evaluate the effectiveness of the plans using walkthroughs, and tabletop, functional, or full-scale exercises. Failure to have an effective plan could force the issuer to shut down operations, resulting in adverse effects on finances and life and safety. This could lead to a downgrade.
Recover: Preparedness And System Design Can Help Lessen Credit Impact
With the increasing sophistication and constantly changing attack strategies of cybercriminals, absolute avoidance of risk might not be possible. In our view, with proper preparedness and practiced response protocols, damage from a cyberattack could be limited. Recovering from an attack may mean restoring data from backup copies, reconfiguring systems, or using other means of regaining systems access. We also evaluate the sufficiency of an issuer's liquidity to recover from a disruption in its cash flow after a cyber incident. Adequate and available reserves, particularly when supplemented by a cyber insurance policy, usually mitigate this risk. Finally, we look for disclosure of events and impact analysis to ascertain if improvements to risk-management policies and practices might be necessary following an attack. We view a full and timely disclosure following a cyberattack as critical to mitigating potential legal risk from parties potentially injured as a result of the attack, including bondholders. Also, such disclosure can help peers and other municipal issuers better prepare for similar attacks and help the capital markets identify trends and refine best mitigation practices.
An example of cybersecurity embedded in risk-management planning
The example below demonstrates the questions an analyst might ask to assess an issuer's risk-management policies and practices for cybersecurity, with sample answers that would demonstrate risk mitigation for a small local government issuer. Although it's not intended to be a checklist or to apply to every issuer or situation, it can provide a general example of what an analyst might consider when speaking with issuers. Analysts could ask for additional information or look for further policies and practices as the situation warrants.
What steps have you taken to identify and protect your assets and data from cyberattacks?
- Device registration and access controls
- Firewalls, staff training, virus, and malware scans
- Two-signature requirements on wire transfers and payments
What policies and practices have you implemented to enable you to detect, respond to, and recover from a cyberattack?
- Data recovery plans including offsite backups
- Cyber insurance
- System scans to detect malware/attacks
- Ability to isolate attack from affecting entire network
- ESG Brief: Emerging Themes In U.S. Public Finance, June 3, 2021
- Sustainable Finance Newsletter: June 2021, June 14, 2021
- Cyber Risk In A New Era: Disruptions And Distractions Increase Challenges For U.S. Public Finance Issuers, Oct. 19, 2020
- Cyber Risk In A New Era: Remedy First, Prevent Second, Sept. 17, 2020
- Through The ESG Lens 2.0: A Deeper Dive Into U.S. Public Finance Credit Factors, April 28, 2020
- U.S. Public Finance Issuers Must Be Nimble To Fend Off Cyberattacks Or They Could Face Credit Fallout, Feb. 25, 2020
- Cyber Risk Management For U.S. Municipal Utilities Should Be Routine And Requires Vigilance And Flexibility, Feb. 3, 2020
- Blockchain Is Coming To Muniland, And The Changes Could Be Significant, July 30, 2018
- Cyberattacks Pose A Real, If Varying, Credit Risk Across U.S. Public Finance Sectors, Sept. 20, 2017
This report does not constitute a rating action.
|Primary Credit Analysts:||Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Geoffrey E Buswick, Boston + 1 (617) 530 8311;|
|Secondary Contacts:||Nora G Wittstruck, New York + (212) 438-8589;|
|Theodore A Chapman, Farmers Branch + 1 (214) 871 1401;|
|Ken W Rodgers, New York + 1 (212) 438 2087;|
|Aamna Shah, San Francisco + 1 (415) 371 5034;|
|Simon Ashworth, London + 44 20 7176 7243;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: firstname.lastname@example.org.