- S&P Global Ratings continues to see an increasing number of attacks on U.S. public finance entities, to where cyber is now a daily part of risk management and operations for most issuers.
- Cyber risk has moved beyond a specialized aspect to a near-ubiquitous priority that is integral to risk-management frameworks, but adoption of baseline cyber-security standards and frameworks still varies across public finance entities.
- Evolving credit risks include the changing nature of threats, rising cyber-insurance costs, third-party vendor exposure, and regulatory uncertainty. We think issuers will need to adapt to maintain credit quality.
- USPF issuers that exhibit inadequate cyber-risk management and oversight that is ineffective in mitigating risk is incorporated into our credit rating analysis, and it could result in a negative rating action.
Once an afterthought, cyber security is now a critical priority for U.S. public finance (USPF) issuers. Often, public sector entities maintain important infrastructure and are trusted with personal identifiable information and digital identities of their customers, making them an increasingly attractive target. In "Cyber Trends And Credit Risks" published Oct. 25, S&P Global Ratings takes a holistic look at cyber security and how it affects credit ratings.
Against the backdrop of volatile geopolitical conflicts and evolving cyber crime on an industrial scale, there has been a proliferation of sophisticated threat actors and malicious cyber activity targeting state, county, and municipal governments, not-for-profit institutions, and critical public infrastructure, which is shifting the threat landscape. A small-but-expanding list of USPF issuers experienced highly visible cyber risk events in 2022, and we expect such events will increase, both in frequency and magnitude.
In 2022, while the most affected USPF sector was local governments, several reported incidents affected issuers in the higher education, health care, charter schools, and utilities sectors. The most common attack types were malware and ransomware, with some distributed denial of service (DDoS) and data breaches. Over the past year, large public entities including Suffolk County, N.Y. and the Los Angeles Unified School District faced significant cyber attacks, and 14 airports nationwide also reported attacks. We continue to monitor the evolving nature of attacks to better understand the credit implications for public issuers across the U.S.
U.S. Public Entities Face Higher Stakes Amid An Evolving Cyber Threat Landscape
Many public sector chief information officers (CIOs) and chief information security officers (CISOs) believe the likelihood of a cyber attack on their organizations is inevitable. While this mindset has created an urgency to harden cyber defenses, recent high-profile cyber attacks have shown the repercussions for public entities that fail to reduce cyber vulnerabilities and minimize damage in the wake of an attack.
Although there is not a single standard for cyber preparedness, industry associations and federal agencies have provided guidance, recommendations, and tools for public entities to assess their cyber resilience. In lieu of a single standard, cyber risk management remains an integral component to wider risk management frameworks that we consider in our credit analysis. We look to the entity to demonstrate how it incorporates best practices into its IT systems, assets, risk assessments, and employee training. However, prioritizing cyber security in a digital transformation and widespread adoption of even baseline cyber security measures still vary widely across thousands of state and local governments, public enterprises, and institutions.
For public entities, accelerated deployment of Internet of Things technologies, migration to cloud platforms, and automation software to monitor and manage services throughout the COVID-19 pandemic provided numerous benefits to the public and their remote workforce, but insufficient cyber security measures and planning continue to endanger public entities, which serve as the trusted holders of sensitive information and custodians/managers of critical public infrastructure. While all 50 states have a CISO, and 30 states increased their cyber security budgets in 2022 from 2021, the National Association of State Chief Information Officers reports barriers remain to unifying state and federal efforts to protect local governments, public enterprises, and critical infrastructure, particularly talent and financial resource gaps. Public entities of all sizes face thinning cyber security and IT workforces, a highly competitive and cost-intensive environment to attract and retain qualified CISOs and cyber security talent, and limited budget resources to build and maintain cyber security infrastructure needed to protect sensitive information, ranging from financial accounts to health records.
In the past several years, we have observed cyber attacks that led to breaches or permanent loss of access to financial and health data, intellectual property, or other personal identifiable information. At the same time, DDoS and ransomware attacks grew in frequency and have shown the potential to severely disrupt day-to-day operations in USPF, including several major cities for extended periods (chart 1). We consider higher education and health care two riskier sectors due to large amounts of personal information used for enrollment, philanthropic support, health record administration, and medical research. For more information, see "Cyber Risk In A New Era: U.S. Colleges And Universities Go Back To School On Cyber Security Preparedness", published Sept. 29, 2022, on RatingsDirect, and "Cyber Risk In Health Care: High Stakes, Valuable Data, And Increasing Connectivity Attract Bad Actors," published Dec. 6, 2022. The impact and severity of cyber attacks and the long-tail costs of financial strain, legal liability, and reputational damage could take years to remedy, as we have seen with the cyber attacks on Princeton Community Health, W.Va. and the City of Baltimore, Md.
Five Ways That Threat Actors Are Transforming The Landscape
Ransomware-as-a-service (RaaS) model is growing. The criminal ransomware industry employing specialized threat actors is developing kits that range from less than $100 to thousands of dollars per month, allowing new threat actors to access the landscape. With smaller price tags to acquire these RaaS kits and technologies that attempt attacks more frequently, smaller ransom bounties could become more common, feature more difficult to track payment methods (e.g., cryptocurrencies), and use more experienced negotiation teams that set tight payment deadlines of a week or less to increase the probability of public entities complying with the ransom demand.
Creative destruction as new threat actors emerge. CrowdStrike Intelligence, a cyber defense company, identified 21 new cyber threat actors in 2021, increasing the number to 170 tracked actors. One example is BlackCat, which specializes in RaaS, often targets known security vulnerabilities, and makes persistent attacks to acquire account credentials of public and nonprofit organizations to expose stolen files, most notably in Suffolk County, Fremont County, Colo., and Florida International University. LockBit 3.0, a prolific ransomware variant in 2022, has perpetrated low-profile attacks on entities by infiltrating target networks, cloning files, and transferring them over to a lock-bit-controlled system over a brief period, a shift in tactics from more traditional encryption-based ransomware attacks.
Hybrid warfare from nation-state actors continues to target public entities. In 2022, the FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency (CISA) have issued numerous intelligence reports and threat advisories of malicious cyber activity emanating from adversarial nation-states, particularly for communities and critical public infrastructure. For a politically motivated or state-sponsored cyber criminal, targeting critical infrastructure providers creates a scenario where risks to the attacker are potentially low and rewards for disruption can be high. On Oct. 10, 2022, at least 14 airport websites were affected by a DDoS attack attributed to pro-Russian hackers, although this resulted in no disruption to airport operations or access to information. The attacks claimed by Killnet affected websites for the Los Angeles International Airport, Chicago O'Hare International Airport, and Hartsfield-Jackson International Airport, among others. The attack made airports' websites inaccessible to the public, but no internal airport systems were compromised, nor were operations disrupted.
Social engineering cyber attacks evolve with the aid of artificial intelligence (AI). Carefully crafted socially engineered attacks using more AI-enabled images, videos, audio, or business email tactics are becoming more difficult to identify, particularly at larger public organizations or institutions where threat actors can deceive victims to gain and expand a foothold to extract sensitive information from public entities without arousing suspicion. Increasingly sophisticated AI-generated "deep fake" audio, images, and video could spread harmful disinformation that falsifies the work of or embarrasses public officials and can cause reputational, financial, or regulatory risks, which could erode public trust. To prevent this, more public entities have increased employee trainings and implemented additional safeguards around critical operations and financial processes. A growing trend is the deployment of security AI to detect anomalies and vulnerabilities and repel attacks, but building AI defenses can be labor and resource intensive and become more complicated as threat actors use emerging AI-powered technologies to exploit new weaknesses.
Compromised supply chains expose public entities to third-party vendor risks. The deployment of third-party technologies and associated spending swelled at a frenetic pace the past five years, and they are likely to be an integral piece in executing core missions of public sector entities in the future. However, this exposes public entities to potential cyber vulnerabilities within the third-party supply chain. Public sector issuers must acknowledge where their third-party risk exposure is and identify which third parties are granted access to critical assets or sensitive data. The inclusion of cyber security requirements (including notification, access controls, monitoring, auditing, and other responsibilities) in third-party vendor contracts could be used by public entities to clearly address and contractually enforce data risks and security procedures, which could grow in importance. For more information, see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?," published Oct. 25, 2021.
Cyber Insurance Costs Are Increasing
As threats evolve, insurance is adjusting. Many of these adjustments place additional burdens on public finance issuers, either through increasing premiums, or through additional penetration testing and other questions issuers must answer to receive, extend, or renew coverage. For some USPF issuers, the higher standards demanded by insurers to qualify for or renew cyber insurance policies come at a higher cost and can strain limited resources and personnel. S&P Global Ratings projects up to a 25% increase in annual cyber insurance premiums through 2025, which could become cost prohibitive and lead to more public entities pursuing self-insurance or forgoing coverage altogether. For those issuers who maintain their coverage, many insurers are narrowing the type of cyber incidents they cover or increasing their deductibles.
In several states, public and quasi-public organizations have broadened coverage in their intergovernmental risk-sharing pools to include cyber liability as an alternative to private insurance, which could provide more access and keep coverage affordable. For example, the Texas Municipal League Intergovernmental Risk Pool serves 2,800 governments and provides cyber liability coverage if governments meet certain requirements. For more information on our views on insurance, see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," published July 26, 2022.
Critical Public Infrastructure Providers Remain Cyber Vigilant
U.S. water and wastewater utilities and public power utilities as well as telecommunications, hospitals, and transportation companies, which all provide essential services and are critical to health and safety and the economy, remain attractive targets for threat actors. Federal agencies have released cyber threat advisories to practice heightened vigilance and increase mitigation measures amid geopolitical tensions, with critical infrastructure being a key target. However, federal cyber security requirements for critical infrastructure have been more stringent, and therefore many of these entities have implemented additional cyber security measures. While anecdotal reports indicate that threat actors could be probing and testing cyber defenses at critical U.S. infrastructure sites, large-scale attacks on critical public infrastructure have been detected and repelled. For example, in August 2021, the Port of Houston was targeted in an attempted cyber attack but successfully defended itself following implementation of its Facilities Security Plan, with no operational data or systems affected as a result.
Overall, we believe management and proactive governance remain key credit considerations across these sectors to thwart potential cyber intrusion. By adopting policies and practices in the event of an attack, these entities insulate themselves by having clear mitigation strategies in place that allow operations to continue without debilitating effects. For more information, see "Cyber Risk In A New Era: U.S. Utilities Are Cyber Targets And Need To Plan Accordingly," published Nov. 3, 2021, and "Cyber Risk In A New Era: U.S. Transportation Infrastructure Providers Remain Vigilant On The Road To Cyber Preparedness," published Oct. 26, 2022.
Although we believe more financial resources for cyber security will be needed in the future, help could be on the way for some public entities to protect critical infrastructure. Through the Infrastructure Investment and Jobs Act, the federal government allocated up to $1 billion to the State and Local Cybersecurity Grant Program (SLCGP) to help states, local governments, rural areas, and territories address cyber security risks to improve the security of critical infrastructure and resilience of the services that state, local, and territorial governments provide their communities (see table). Eligible public entities can apply for SLCGP grants for specific projects, including:
- Implementing cyber governance and planning;
- Assessing and evaluating systems and capabilities;
- Mitigating prioritized issues; and
- Building a cyber security workforce
|State And Local Cyber Security Grant Program Appropriations (By State), 2022-2025|
|District of Columbia||2.1||4.2||3.1||1.0||10.4|
|Northern Mariana Islands||0.5||1.0||0.8||0.3||2.5|
|Source: Federal Funds Information for States.|
Cyber Incident Regulation: Building A Culture Of Information Sharing And Disclosure
Transparency and accountability are important components across all our USPF criteria, and public entity information sharing on cyber preparedness indirectly informs other aspects of our credit rating analysis. The quality, regularity, and timeliness of disclosure practices, including voluntary disclosure of certain information, particularly when there has been a cyber attack, are critical and can help us assess whether an entity has robust transparency and accountability practices. On the other hand, the absence of timely disclosure of an attack could lead to our inability to assess whether an event will result in a one-time revenue loss or a longer trend leading to potential credit quality deterioration.
Although there is no set regulatory requirement for reporting cyber incidents, we believe a culture of voluntary information sharing can assist local, state, and federal governments to rapidly deploy resources and render assistance to the entity suffering an attack, analyze incoming reporting across sectors to detect trends, and quickly share information with public entities and the public to warn of potential vulnerabilities in the future. One such effort to establish formal channels to share information on cyber incidents is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enacted in March 2022, which requires CISA to develop and implement regulations requiring critical public infrastructure entities to report CISA-covered cyber incidents and ransom payments. Until the effective date of the final rule, organizations are not required to submit cyber incident or ransom payment reports under CIRCIA. However, proposed rules could include the following:
Cyber incident reporting requirements. CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity believes the incident occurred.
Ransom payment reporting requirements. CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments because of a ransomware attack. CISA must share these reports with federal agencies.
Ransomware vulnerability warning pilot program. CISA must establish a pilot to identify systems with vulnerabilities to ransomware attacks and can notify the owners of those systems.
Cyber Security Preparedness
For public finance issuers, especially those with limited staff and budget, or those who contract their operations out, unknown cyber-related threats can cripple daily operations, receipts of payments, or even debt service payments. We see, across all ratings practices, that comprehensive organizational risk management--that not only protects against an attack but also prepares for the necessary response and recovery following an attack--better protects issuers from compounding financial losses and increasing reputational damage. Frameworks, such as the National Institutes of Standards and Technology, can help inform an organization's approach to cyber, and we generally view issuers that implement these frameworks as having a risk management culture that reduces the risk of cyber attacks. For more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance," published June 28, 2021.
Cyber attacks have led to rating changes in multiple sectors including corporates, financial institutions, and USPF. As threats multiply, we expect this trend will increase . Below, we outline four case studies on USPF issuers that were subject to cyber attacks, and how it affected our view of their credit quality.
- Rating: Not rated
- Sector: Local government
- Attack type: Ransomware
- Rating considerations: Timing and quality of information
Credit overview: A cyber attack affected the city's financial systems, directly delaying the release of audited financial results. The event was indicative of potential vulnerabilities in Texarkana's governance practices. In February 2022, we suspended our rating on the issuer, reflecting our view of the city's preparation for, response to, and recovery from cyber security incidences as part of our view of comprehensive risk management strategies.
- Rating: A+/Stable
- Sector: Local government
- Attack type: Ransomware
- Rating considerations: Timing and quality of information
Credit overview: In December 2019, New Orleans experienced a ransomware attack that prevented numerous city services from accessing operational information and data. The city rebuilt many of its systems to restore functionality. However, this delayed the issuance of the 2019 and 2020 audits to the point where S&P Global Ratings placed the ratings on CreditWatch with negative implications due to lack of information. The city was able to provide financial information for us to maintain the rating.
Baltimore Water & Sewer, Md.
- Rating: A+/Stable
- Sector: Municipal utility
- Attack type: Ransomware
- Rating considerations: Timing and quality of information
Credit overview: In February 2022, S&P Global Ratings lowered its rating on Baltimore's wastewater senior lien bonds to 'AA-' from 'AA' and lowered its rating on the city's subordinate-lien wastewater bonds to 'A+' from 'AA-'. The downgrade reflected our view of the enforcement action filed by the Maryland Department of the Environment against the city's wastewater system that we believe stems from governance vulnerabilities that have resulted in regulatory violations. In addition, the city was slow to recover from a cyber attack in 2019, which management reports contributed to the system's compliance, reporting, and operating deficiencies (in addition to billing and procurement). These vulnerabilities resulted in litigation and could reduce liquidity, increase system leverage, and affect public perception, which could hinder the system's future rate-setting flexibility.
Suffolk County, N.Y.
- Rating: A+
- Sector: Local government
- Attack type: Ransomware
- Rating considerations: Operations
Credit overview: On Sept. 8, 2022, the county was hit by a cyber attack that forced officials to take many operations, including payment systems and other essential functions, offline. S&P Global Ratings met with Suffolk County management in late October to discuss the extent of the incident and the county's response. At the time, the county communicated that it had invested about $6 million in cyber security upgrades over the past several years and, because of the attack, increased its cyber security budget by $9 million for fiscal 2023. At the end of fiscal 2021, we calculate the county had $338 million, or about 10.5% of operating expenditures, in available reserves. The county notes, it activated its cyber and disaster recovery plan, which facilitated workarounds to get some business units internally functioning. However, after several weeks, some county systems are still not operable. The county is working with the FBI, New York CISO, as well as two cyber security consulting firms for incident response and forensic support. S&P Global Ratings is monitoring the resolution of the incident and its full impact on the county's operations and finances, as the county continues this investigation and works to get all its services back online. In many complex cyber investigations, it takes several months to fully understand and quantify the consequences and costs of an attack.
This report does not constitute a rating action.
|Primary Credit Analysts:||Alex Louie, Centennial + 1 (303) 721 4559;|
|Thomas J Zemetis, New York + 1 (212) 4381172;|
|Secondary Contacts:||Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Geoffrey E Buswick, Boston + 1 (617) 530 8311;|
|Krystal Tena, New York + 1 (212) 438-1628;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.