This report does not constitute a rating action.
- The provision of essential services and the sensitive information held by local government organizations, utilities, and health services make them prime targets for cyberattacks.
- Cyber risk management should therefore be a priority for the U.S. Public Finance sector (and private companies), but it often remains underfunded and insufficient.
- Cyber risk mitigation should be integrated into organizational planning, particularly given the complexity of balancing risks across very large systems and organizations within those system.
Cyberattackers are targeting local government, utilities, and other publicly financed organizations because their essential services and stewardship of sensitive information offer levers to maximize damage and financial gain, panelists told S&P Global Ratings' latest "U.S. Public Finance Cyber Risk Seminar." A replay of the seminar can be accessed at this link.
Within the U.S. Public Finance sector, local government entities are most at risk from threat actors, according to 38% of the seminar's attendees who voted in a survey at the virtual event. Not-for-profit healthcare operators were considered the second most at risk sector, with 22% of votes, followed by utilities, on 19%. Charter schools and housing associations were least at risk, according to the poll.
A panel of analysts from across S&P Global Ratings' U.S. Public Finance team fleshed out those threats with anecdotes suggesting that cyberattacks on public sector institutions have evolved from an emerging risk to become an ever-present threat. That shift has focused management attention on cyber risk, both in terms of its role in organizational risk management and in terms of its possible impact on credit worthiness (see "Cyber Risk Management Is Credit Risk Management, Says Seminar," Nov. 1, 2022.).
"Since late 2021, I have attended more management meetings where utilities have reported an attack or a breach, than not," said Jenny Poree, Senior Director and Sector Leader, U.S. Water & Sewer at S&P Global Ratings. "This really speaks to how cyber risk has moved away from being an emerging risk."
"Cyberattacks are increasing in both frequency and severity. About 20% of all cyberattacks are directed toward the healthcare sector with ransomware being the more prevalent kind of attack," said Marc Bertrand, S&P Global Ratings' Associate Director, U.S. Not-for-Profit Healthcare. For more on the cyber risks faced by health care providers see "Cyber Risk In Health Care: High Stakes, Valuable Data, And Increasing Connectivity Attract Bad Actors," Dec. 6, 2022.
Room To Improve
Despite the growing awareness of cyber threats, the seminar heard that cyber risk management at public entities is often insufficient, underfinanced, and lags emerging threats. Those threats include hybrid disinformation operations and cyberattacks, said John Cohen, executive director of the Program for Countering Hybrid Threat at the Center for Internet Security and a former Acting Under Secretary for Intelligence and Analysis and Counterterrorism Coordinator at the U.S. Department of Homeland Security.
"I can't tell you how many times I have met with a CEO, a governor, or a mayor, and they say…'I understand what you are saying about cyber threats, about information operations, but if I invest money there, I am not investing elsewhere'," Cohen said in a discussion with S&PGR's Director U.S. Higher Education Ken Rodgers.
On a more positive note, Cohen said that cybersecurity coordination had improved across government departments and law enforcement, led by better information sharing by the Cybersecurity And Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, and the FBI. For more on the role that CISA plays in combatting cyber risk, and the support it provides to the private and public sectors see "Cyber Security Should Be A Team Sport, Say Experts," July 18, 2022.
A Digital Check List
The challenges facing cybersecurity leaders at high-profile public sector agencies was the final topic at the seminar and was tackled by a panel including Colin Ahern, Chief Cyber Officer New York State, and Jayesh Panchal, Systemwide Chief Information Security Officer, University of California System.
Ahern suggested his role, which was created less than a year ago, could be broken down into five focus areas: operating the government network securely and resiliently; ensuring that the state cyber services effectively prevent and respond to cyber incidents; the provision of advice to help create beneficial cyber regulation; communication on cyber issues; and the development of a cyber-focused economy and workforce.
The panel also discussed the need for cyber risk management to be integrated into organizational planning and prioritization, particularly given the complexity of environments where risk mitigation needs to make sense across a very large system and for individual organizations within the system. "A new taxonomy is needed, and a new set of conversations have to be had," said Panchal. "We need a very risk-based and adaptive approach, which looks at not just cyber risk but wider digital risks, third-party risks, the risk to privacy, and the balancing of ethical uses of this technology with the need to create new insights."
Cybersecurity has been discussed in U.S. Public Finance management meetings for nearly a decade. Over that time, S&P Global Ratings has seen how cyber threats to credit quality can evolve quickly, witnessed management teams become increasingly aware of the threats, and watched organizations improve their ability to manage the risks. Our analysts will continue to ask how each entity is thinking about cyber risk and the plans they have in place to "prepare, respond, and recover."
The May edition of the U.S. Public Finance Credit Spotlight Seminar on Cyber Risk is part of a series of events and articles by S&P Global Ratings focusing on how cyber risks affect credit analysis.
Writer: Paul Whitfield
Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
U.K. Social Housing Providers Set Their Sights On Cyber Risks, Dec. 16, 2022.
|Primary Credit Analysts:||Alex Louie, Englewood + 1 (303) 721 4559;|
|Geoffrey E Buswick, Boston + 1 (617) 530 8311;|
|Thomas J Zemetis, New York + 1 (212) 4381172;|
|Krystal Tena, New York + 1 (212) 438-1628;|
|Ken W Rodgers, Augusta + 1 (212) 438 2087;|
|Secondary Contact:||Tiffany Tribbitt, New York + 1 (212) 438 8218;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.