Once an afterthought, cyber security is now a critical priority for U.S. public finance (USPF) issuers. Often, public sector entities maintain important infrastructure and are trusted with personal identifiable information and digital identities of their customers, making them an increasingly attractive target. In "Cyber Trends And Credit Risks" published Oct. 25, S&P Global Ratings takes a holistic look at cyber security and how it affects credit ratings.

Against the backdrop of volatile geopolitical conflicts and evolving cyber crime on an industrial scale, there has been a proliferation of sophisticated threat actors and malicious cyber activity targeting state, county, and municipal governments, not-for-profit institutions, and critical public infrastructure, which is shifting the threat landscape. A small-but-expanding list of USPF issuers experienced highly visible cyber risk events in 2022, and we expect such events will increase, both in frequency and magnitude.

In 2022, while the most affected USPF sector was local governments, several reported incidents affected issuers in the higher education, health care, charter schools, and utilities sectors. The most common attack types were malware and ransomware, with some distributed denial of service (DDoS) and data breaches. Over the past year, large public entities including Suffolk County, N.Y. and the Los Angeles Unified School District faced significant cyber attacks, and 14 airports nationwide also reported attacks. We continue to monitor the evolving nature of attacks to better understand the credit implications for public issuers across the U.S.

U.S. Public Entities Face Higher Stakes Amid An Evolving Cyber Threat Landscape

Many public sector chief information officers (CIOs) and chief information security officers (CISOs) believe the likelihood of a cyber attack on their organizations is inevitable. While this mindset has created an urgency to harden cyber defenses, recent high-profile cyber attacks have shown the repercussions for public entities that fail to reduce cyber vulnerabilities and minimize damage in the wake of an attack.

Although there is not a single standard for cyber preparedness, industry associations and federal agencies have provided guidance, recommendations, and tools for public entities to assess their cyber resilience. In lieu of a single standard, cyber risk management remains an integral component to wider risk management frameworks that we consider in our credit analysis. We look to the entity to demonstrate how it incorporates best practices into its IT systems, assets, risk assessments, and employee training. However, prioritizing cyber security in a digital transformation and widespread adoption of even baseline cyber security measures still vary widely across thousands of state and local governments, public enterprises, and institutions.

For public entities, accelerated deployment of Internet of Things technologies, migration to cloud platforms, and automation software to monitor and manage services throughout the COVID-19 pandemic provided numerous benefits to the public and their remote workforce, but insufficient cyber security measures and planning continue to endanger public entities, which serve as the trusted holders of sensitive information and custodians/managers of critical public infrastructure. While all 50 states have a CISO, and 30 states increased their cyber security budgets in 2022 from 2021, the National Association of State Chief Information Officers reports barriers remain to unifying state and federal efforts to protect local governments, public enterprises, and critical infrastructure, particularly talent and financial resource gaps. Public entities of all sizes face thinning cyber security and IT workforces, a highly competitive and cost-intensive environment to attract and retain qualified CISOs and cyber security talent, and limited budget resources to build and maintain cyber security infrastructure needed to protect sensitive information, ranging from financial accounts to health records.

In the past several years, we have observed cyber attacks that led to breaches or permanent loss of access to financial and health data, intellectual property, or other personal identifiable information. At the same time, DDoS and ransomware attacks grew in frequency and have shown the potential to severely disrupt day-to-day operations in USPF, including several major cities for extended periods (chart 1). We consider higher education and health care two riskier sectors due to large amounts of personal information used for enrollment, philanthropic support, health record administration, and medical research. For more information, see "Cyber Risk In A New Era: U.S. Colleges And Universities Go Back To School On Cyber Security Preparedness", published Sept. 29, 2022, on RatingsDirect, and "Cyber Risk In Health Care: High Stakes, Valuable Data, And Increasing Connectivity Attract Bad Actors," published Dec. 6, 2022. The impact and severity of cyber attacks and the long-tail costs of financial strain, legal liability, and reputational damage could take years to remedy, as we have seen with the cyber attacks on Princeton Community Health, W.Va. and the City of Baltimore, Md.

Five Ways That Threat Actors Are Transforming The Landscape

Ransomware-as-a-service (RaaS) model is growing.   The criminal ransomware industry employing specialized threat actors is developing kits that range from less than $100 to thousands of dollars per month, allowing new threat actors to access the landscape. With smaller price tags to acquire these RaaS kits and technologies that attempt attacks more frequently, smaller ransom bounties could become more common, feature more difficult to track payment methods (e.g., cryptocurrencies), and use more experienced negotiation teams that set tight payment deadlines of a week or less to increase the probability of public entities complying with the ransom demand.

Creative destruction as new threat actors emerge.   CrowdStrike Intelligence, a cyber defense company, identified 21 new cyber threat actors in 2021, increasing the number to 170 tracked actors. One example is BlackCat, which specializes in RaaS, often targets known security vulnerabilities, and makes persistent attacks to acquire account credentials of public and nonprofit organizations to expose stolen files, most notably in Suffolk County, Fremont County, Colo., and Florida International University. LockBit 3.0, a prolific ransomware variant in 2022, has perpetrated low-profile attacks on entities by infiltrating target networks, cloning files, and transferring them over to a lock-bit-controlled system over a brief period, a shift in tactics from more traditional encryption-based ransomware attacks.

Hybrid warfare from nation-state actors continues to target public entities.   In 2022, the FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency (CISA) have issued numerous intelligence reports and threat advisories of malicious cyber activity emanating from adversarial nation-states, particularly for communities and critical public infrastructure. For a politically motivated or state-sponsored cyber criminal, targeting critical infrastructure providers creates a scenario where risks to the attacker are potentially low and rewards for disruption can be high. On Oct. 10, 2022, at least 14 airport websites were affected by a DDoS attack attributed to pro-Russian hackers, although this resulted in no disruption to airport operations or access to information. The attacks claimed by Killnet affected websites for the Los Angeles International Airport, Chicago O'Hare International Airport, and Hartsfield-Jackson International Airport, among others. The attack made airports' websites inaccessible to the public, but no internal airport systems were compromised, nor were operations disrupted.

Social engineering cyber attacks evolve with the aid of artificial intelligence (AI).   Carefully crafted socially engineered attacks using more AI-enabled images, videos, audio, or business email tactics are becoming more difficult to identify, particularly at larger public organizations or institutions where threat actors can deceive victims to gain and expand a foothold to extract sensitive information from public entities without arousing suspicion. Increasingly sophisticated AI-generated "deep fake" audio, images, and video could spread harmful disinformation that falsifies the work of or embarrasses public officials and can cause reputational, financial, or regulatory risks, which could erode public trust. To prevent this, more public entities have increased employee trainings and implemented additional safeguards around critical operations and financial processes. A growing trend is the deployment of security AI to detect anomalies and vulnerabilities and repel attacks, but building AI defenses can be labor and resource intensive and become more complicated as threat actors use emerging AI-powered technologies to exploit new weaknesses.

Compromised supply chains expose public entities to third-party vendor risks.   The deployment of third-party technologies and associated spending swelled at a frenetic pace the past five years, and they are likely to be an integral piece in executing core missions of public sector entities in the future. However, this exposes public entities to potential cyber vulnerabilities within the third-party supply chain. Public sector issuers must acknowledge where their third-party risk exposure is and identify which third parties are granted access to critical assets or sensitive data. The inclusion of cyber security requirements (including notification, access controls, monitoring, auditing, and other responsibilities) in third-party vendor contracts could be used by public entities to clearly address and contractually enforce data risks and security procedures, which could grow in importance. For more information, see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?," published Oct. 25, 2021.

Cyber Insurance Costs Are Increasing

As threats evolve, insurance is adjusting. Many of these adjustments place additional burdens on public finance issuers, either through increasing premiums, or through additional penetration testing and other questions issuers must answer to receive, extend, or renew coverage. For some USPF issuers, the higher standards demanded by insurers to qualify for or renew cyber insurance policies come at a higher cost and can strain limited resources and personnel. S&P Global Ratings projects up to a 25% increase in annual cyber insurance premiums through 2025, which could become cost prohibitive and lead to more public entities pursuing self-insurance or forgoing coverage altogether. For those issuers who maintain their coverage, many insurers are narrowing the type of cyber incidents they cover or increasing their deductibles.

In several states, public and quasi-public organizations have broadened coverage in their intergovernmental risk-sharing pools to include cyber liability as an alternative to private insurance, which could provide more access and keep coverage affordable. For example, the Texas Municipal League Intergovernmental Risk Pool serves 2,800 governments and provides cyber liability coverage if governments meet certain requirements. For more information on our views on insurance, see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," published July 26, 2022.

Critical Public Infrastructure Providers Remain Cyber Vigilant

U.S. water and wastewater utilities and public power utilities as well as telecommunications, hospitals, and transportation companies, which all provide essential services and are critical to health and safety and the economy, remain attractive targets for threat actors. Federal agencies have released cyber threat advisories to practice heightened vigilance and increase mitigation measures amid geopolitical tensions, with critical infrastructure being a key target. However, federal cyber security requirements for critical infrastructure have been more stringent, and therefore many of these entities have implemented additional cyber security measures. While anecdotal reports indicate that threat actors could be probing and testing cyber defenses at critical U.S. infrastructure sites, large-scale attacks on critical public infrastructure have been detected and repelled. For example, in August 2021, the Port of Houston was targeted in an attempted cyber attack but successfully defended itself following implementation of its Facilities Security Plan, with no operational data or systems affected as a result.

Overall, we believe management and proactive governance remain key credit considerations across these sectors to thwart potential cyber intrusion. By adopting policies and practices in the event of an attack, these entities insulate themselves by having clear mitigation strategies in place that allow operations to continue without debilitating effects. For more information, see "Cyber Risk In A New Era: U.S. Utilities Are Cyber Targets And Need To Plan Accordingly," published Nov. 3, 2021, and "Cyber Risk In A New Era: U.S. Transportation Infrastructure Providers Remain Vigilant On The Road To Cyber Preparedness," published Oct. 26, 2022.

Although we believe more financial resources for cyber security will be needed in the future, help could be on the way for some public entities to protect critical infrastructure. Through the Infrastructure Investment and Jobs Act, the federal government allocated up to $1 billion to the State and Local Cybersecurity Grant Program (SLCGP) to help states, local governments, rural areas, and territories address cyber security risks to improve the security of critical infrastructure and resilience of the services that state, local, and territorial governments provide their communities (see table). Eligible public entities can apply for SLCGP grants for specific projects, including:

• Implementing cyber governance and planning;
• Assessing and evaluating systems and capabilities;
• Mitigating prioritized issues; and
• Building a cyber security workforce

Table 1

Cyber Incident Regulation: Building A Culture Of Information Sharing And Disclosure

Transparency and accountability are important components across all our USPF criteria, and public entity information sharing on cyber preparedness indirectly informs other aspects of our credit rating analysis. The quality, regularity, and timeliness of disclosure practices, including voluntary disclosure of certain information, particularly when there has been a cyber attack, are critical and can help us assess whether an entity has robust transparency and accountability practices. On the other hand, the absence of timely disclosure of an attack could lead to our inability to assess whether an event will result in a one-time revenue loss or a longer trend leading to potential credit quality deterioration.

Although there is no set regulatory requirement for reporting cyber incidents, we believe a culture of voluntary information sharing can assist local, state, and federal governments to rapidly deploy resources and render assistance to the entity suffering an attack, analyze incoming reporting across sectors to detect trends, and quickly share information with public entities and the public to warn of potential vulnerabilities in the future. One such effort to establish formal channels to share information on cyber incidents is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enacted in March 2022, which requires CISA to develop and implement regulations requiring critical public infrastructure entities to report CISA-covered cyber incidents and ransom payments. Until the effective date of the final rule, organizations are not required to submit cyber incident or ransom payment reports under CIRCIA. However, proposed rules could include the following:

Cyber incident reporting requirements.  CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity believes the incident occurred.

Ransom payment reporting requirements.  CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments because of a ransomware attack. CISA must share these reports with federal agencies.

Ransomware vulnerability warning pilot program.  CISA must establish a pilot to identify systems with vulnerabilities to ransomware attacks and can notify the owners of those systems.

Cyber Security Preparedness

For public finance issuers, especially those with limited staff and budget, or those who contract their operations out, unknown cyber-related threats can cripple daily operations, receipts of payments, or even debt service payments. We see, across all ratings practices, that comprehensive organizational risk management--that not only protects against an attack but also prepares for the necessary response and recovery following an attack--better protects issuers from compounding financial losses and increasing reputational damage. Frameworks, such as the National Institutes of Standards and Technology, can help inform an organization's approach to cyber, and we generally view issuers that implement these frameworks as having a risk management culture that reduces the risk of cyber attacks. For more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance," published June 28, 2021.

Case Studies

Cyber attacks have led to rating changes in multiple sectors including corporates, financial institutions, and USPF. As threats multiply, we expect this trend will increase . Below, we outline four case studies on USPF issuers that were subject to cyber attacks, and how it affected our view of their credit quality.