- Digitalization in operations and IT services can increase risks of cyber attacks for U.S. public finance (USPF) issuers if proper vendor risk management is not in place.
- Integration of third-party vendor risks into a comprehensive cyber-defense strategy is an important aspect for an issuer to help reduce the frequency and mitigate the effects of a cyber attack.
- Failure to incorporate these risks into risk-management policies could result in negative rating pressure if an issuer's practices seem materially weaker than those of peers.
Third Parties Hold Promise To Accelerate Public Sector Digital Modernization, But They Introduce New Cyber-Security Risks
Innovation and emerging digital technologies are continuously reshaping an interconnected world. For the U.S. public sector, the way in which governments and public entities conduct their day-to-day operations has changed significantly, becoming increasingly dependent on technology. The gradual transition to remote services and work began before the COVID-19 pandemic, but prioritization and demand for third-party digital infrastructure accelerated during the pandemic and they will likely remain key business needs. The move to this "no-touch" government service model is prompting a significant build-out of remote access to the public and significantly shifting centralized, physical office settings to a dispersed, remote work environment for many public sector employees. At the same time, keeping up with an expanding digital ecosystem and integrating new digital infrastructure continues to be capital-intensive risk-mitigation undertaking for the more than 15,000 issuers we rate in S&P Global Ratings' U.S. public finance division.
The deployment of third-party technologies and associated spending grew at a frenetic pace over the past five years, and they are likely to be an integral piece in executing core missions of public sector entities going forward. In 2021 alone, total IT spending among states, local governments, and other public entities is estimated to grow to $118.7 billion, an increase of 6.9% compared with 2020 and a 17.2% growth rate since 2017 (source: Government Technology, govtech.com). While S&P Global Ratings believes outsourcing and procurement of third-party managed services will continue and offer substantial benefits, including cost savings and improvements to service delivery, it can also introduce new vulnerabilities to cyber attacks if risks are not properly mitigated.
For many entities within USPF, several factors remain a barrier to widespread in-house management of government technology. First, retirement of cyber security and IT professionals and substantial competition for a finite supply of new or experienced employees has created a supply-demand gap, and the shortage of these professionals varies across all levels of government. In the U.S. alone, the federal government estimates that cyber-security and IT employment across all sectors has an unfulfilled need for nearly 500,000 professionals, finite resources within public sector budgets, and less flexibility to raise wages that remain competitive compared with those of higher-paying private sector positions. In addition, aging infrastructure or potentially complex systems solutions have warranted outsourcing to third parties, which offer benefits of cost-savings, efficiency, expertise, and scalability at a quicker pace than in-house management can provide.
As this reorganization of IT infrastructure and architecture proceeds, increasingly sophisticated and headline-grabbing public sector cyber attacks--particularly the Solar Winds Corp. breach of federal, state, and local agency systems--are a reminder that while government entities are broadening their ability to enhance their own fundamental operations, peripheral threats that target third-party supply chains and bypass government network protections could expose the public sector to more risk. Internet of Things (IoT) devices and a "no-touch" government model--where digital platforms and automation deliver routine and essential services, link to electronic payment systems, and provide on-demand access to documents and records with little to no physical interaction, among other things--each provide a new pathway to sensitive data (e.g., personal identifiable information, credit and bank accounts, employment records, protected health and education information, and law enforcement information) held by governments.
In terms of infrastructure systems such as drinking water and wastewater, public power utilities, and telecommunications the consequences of a third-party cyber attack that impairs critical infrastructure assets can pose potentially significant public health and safety risks. Some recent cyber attacks showed the vulnerability of critical infrastructure when hackers exploited unsupported or outdated operating systems or software to gain access to control system devices, install ransomware, or steal data.
|Recent High-Profile Cyber Attacks Involving Third-Party Supply Chain Intrusions|
|Date||Issuer(s) affected||Type of attack||Third party||Impact|
|February 2021||Oldsmar, Fla. water treatment system||Watering hole attack that planted malicious code on a third-party site that staff used to monitor and perform critical process controls of water systems remotely.||TeamViewer, a remote connectivity platform that enables access to desktop software, IoT devices, and smartphones.||The attacker attempted to elevate certain chemicals to dangerously high levels, but the attack was thwarted by operators onsite who took action to reduce chemical levels to normal.|
|December 2020||State of Washington (Employment Security Department)||Exploited system vulnerability with unauthorized access to data/files.||Accellion, a third-party file transfer service for large data files.||Breach of personal identifiable information, bank accounts for recipients of unemployment benefits between 2017-2020, representing more than one million Washington residents.|
|2019-2020||U.S. government (federal agencies), state, and local agencies.||Supply chain attack from suspected nation-state actors; inserted malicious SUNBURST code onto systems with privileged access to government systems.||SolarWinds, a system-management tool provider for network and infrastructure monitoring, and other technical services.||More than 18,000 public and private organizations including local, state, and federal agencies were estimated to be susceptible to the SolarWinds attack. The extent of the attack remains under investigation at multiple levels of government.|
|May 2020||38 or more U.S.-based charities, universities, and health care organizations.||Ransomware attack on third party.||Blackbaud, a software firm that provides cloud-based donor-management solutions for fundraising purposes.||Approximately six million individual patients’ records were reported to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool.|
|August 2019||22 Texas counties and municipalities.||REvil Sodinokibi ransomware attacks compromised systems of the third party.||ConnectWise Control, a managed service provider.||Request for combined ransom amount of $2.5 million, but it was not paid following a coordinated state and federal cyber-response plan.|
The growing reliance on third parties to develop, deploy, maintain, and protect network applications and devices that rely on sensitive data also requires USPF entities to perform ongoing, active management and communication with third parties to adequately prepare, respond, recover, and minimize the probability of loss arising from a cyber attack. Often, when a third-party cyber-security risk arises, we observe a lack of risk management over who has access to system and data assets, and a lack of formal oversight policies and procedures in place to ensure third-party providers remain connected with and accountable to management teams. For USPF issuers, a lack of risk management around third-party cyber-security risks can prove very costly, both in terms of financial losses and reputational risks that can erode public trust.
Prepare: Issuers Need To Ensure Third-Party Vendors Are Considered Within The Entity's Cyber-Security Policies And Practices
A good cyber-security stance is to maintain a strategy critical to reducing the chances that third parties will inadvertently be the trojan horse for cyber attacks. Public sector issuers must acknowledge where their third-party risk exposure is and identify which third parties are granted access to critical assets or sensitive data. This can be done in different ways, although the capital and resources required to employ a cyber-defense strategy can vary widely. Inclusion of cyber-security requirements (including notification, access controls, monitoring, auditing, and other responsibilities) in third-party vendor contracts needs to clearly address and contractually enforce data risks and security procedures. While the adoption of cyber-insurance policies varies across the sector, public entities might also share risk by imposing additional procurement and contract requirements on third parties to carry cyber insurance for unique risks not covered under its own policy.
Another emerging trend to reduce third-party vendor risk is to adopt a zero-trust risk posture, which views every device or application as a potential threat and requires identity authentication and authorization to access applications and data. This posture provides the opportunity to create more robust and resilient security, simplify security management to segment and restrict users from data that is off limits, improve end-user experience, and enable modern IT practices. However, this shift could require significant effort and be capital intensive for many public sector entities, as it involves addressing foundational cyber-security issues, automating manual processes, and planning for transformational changes, so it is not without financial and logistical challenges.
Regardless of the approach, once third-party contracts are in place, management teams need to be proactive in monitoring that security procedures are followed by vendors. Performing internal or qualified external audits to identify exposure to third-party cyber-security risks and to determine what data the organization has and what levels of security are needed to protect it. Additionally, highly rated management teams should develop and regularly review incident-response plans to address the possibility of unexpected cyber attacks, integrating IT teams in the planning when those services are outsourced. Having good working relationships with third-party vendor security teams could make the difference when these services are most needed following a cyber attack.
The proposed federal Infrastructure Investment and Jobs Act would create a new formula-based grant program through the Department of Homeland Security (DHS) that distributes $1 billion to states between fiscal years 2022-2025 to address cyber-security risks. The grant formula would require states to subgrant 80% of these funds to local governments, and 25% of the local government distribution to rural areas. The bill would also authorize $20 million annually to the DHS to declare a significant cyber-security incident to respond and recover. While this remains a small portion of the overall IT spend across USPF in 2021, S&P Global Ratings believes the federal commitment to make additional cyber-security investments as the first step that could help USPF issuers with limited cyber-security resources to better assess their cyber hygiene and develop plans to address third-party cyber risks.
Respond And Recover: Having The Ability To Quickly Respond To An Attack And Limit The Damage Aids In Recovery
The longer attackers have access to a system the more damage they can bring, making early detection and rapid response critical to limit the financial and reputational damage a cyber attack can present. The greater the damage without an ability to recover system resources, the more likely a cyber attack will cause a deterioration in creditworthiness. When an issuer's IT systems give access to many vendors, enhanced system monitoring could allow for early detection of a cyber attack. Endpoint security management is a key management practice in detecting and blocking attacks in real-time. Being able to disable and quarantine potential access points can limit an attacker's ability to steal important data. In addition, continuing to identify vulnerabilities and reassessing potential points of attack in your network and communications infrastructure and how vendor access factors into these vulnerabilities remain important steps in recovery and future prevention.
Ongoing and open communication with the third-party vendor when an attack occurs to understand what operations might be exposed and what steps will be taken to ensure continuity of services during recovery. This is especially important if much of an entity's IT services are outsourced. Disaster-recovery plans should incorporate cyber risks posed by third-party vendors, establish points of contact, and secure channels of communication with third parties in the event of a cyber attack and ensure that staff is trained and aware of procedures to execute the plan swiftly and effectively. Other best practices include ensuring there are measures in place to minimize losses and stop a potential cyber attack regardless of where the attack originates.
S&P Global Ratings also believes a broader collaborative approach to recovery and promoting better partnerships and sharing of cyber-hygiene practices can enhance the security of citizens' and consumers' data. The federal government recently enacted the False Claims Act, which permits the U.S. Department of Justice to pursue legal action against government contractors that fail to report breaches or misrepresent their cyber-security practices. This could incentivize third-party vendors and private companies to take meaningful action to reduce gaps, both by increasing timely information sharing with the federal government and by hardening cyber defenses of critical infrastructure serving public entities. Indirectly, these measures could provide a framework for states, local governments, and other USPF entities to implement more protective policies and enforce transparency and accountability with third-party vendors.
This report does not constitute a rating action.
|Primary Credit Analyst:||Thomas J Zemetis, New York + 1 (212) 4381172;|
|Secondary Contacts:||Geoffrey E Buswick, Boston + 1 (617) 530 8311;|
|Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Krystal Tena, New York + 1 (212) 438-1628;|
|Simon Ashworth, London + 44 20 7176 7243;|
|Research Contributor:||Vikram Sawant, CRISIL Global Analytical Center, an S&P Global Ratings affiliate, Mumbai|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: email@example.com.