articles Ratings /ratings/en/research/articles/240514-cyber-risk-insights-hackers-are-knocking-on-the-door-of-u-s-affordable-housing-issuers-13094880 content esgSubNav
In This List

Cyber Risk Insights: Hackers Are Knocking On The Door Of U.S. Affordable Housing Issuers


Table Of Contents: S&P Global Ratings Credit Rating Models


Rethinking The American Dream Of Homeownership In New York City


Your Three Minutes In The Greenhouse Gas Reduction Fund: Efficient Networks Put U.S. CDFIs In Good Position To Lead Change


U.S. Not-For-Profit Health Care Rating Actions, April 2024

Cyber Risk Insights: Hackers Are Knocking On The Door Of U.S. Affordable Housing Issuers

Evolving Risks Require Issuers To Stay Nimble

Issuers, such as social housing providers and public housing authorities (PHAs), that own and operate affordable housing have access to tenants' confidential information while lenders' risks for housing finance agencies (HFAs) are related to homeowners' confidential information. U.S. HFAs, PHAs, and social housing providers could also be exposed to heightened cyber risk from aging technology and data storage systems, with some issuers using on-site servers, rather than cloud storage, to manage critical data.

But with cyber incidents rising, these issuers are responding to increasing threats by stepping up their risk management and IT security. S&P Global Ratings has observed U.S. affordable housing issuers implement various practices to reduce exposure, including transitioning to cloud-based data storage, multifactor authentication, penetration testing, third-party reviews, and increasing employee training.


Cyber Risk As A Factor In U.S. Affordable Housing Issuers Ratings

S&P Global Ratings' assessment of U.S. affordable housing issuers' cyber security strategy is based on how their policies and procedures can be used to prepare for, respond to, and recover from cyber threats to offset financial and operational risk. "Prepare, respond, recover" summarizes an effective strategy. Comprehensive cyber security can help these issuers mitigate cyber threats as they expand digitization of internal systems and reduce administrative inefficiencies through integration of artificial intelligence. In turn, these efforts can prevent or lessen the impacts a successful cyber attack could have on our view of an issuer's creditworthiness.

We incorporate issuers' cyber security preparedness into our assessment of management and governance under our criteria, "Methodology For Rating Public and Nonprofit Social Housing Providers," published June 1, 2021, and our assessment of management and legislative mandate or federal designation in our "Methodology And Assumptions: Housing Finance Agencies And Social Enterprise Lending Organizations" criteria, published Dec. 27, 2016. Generally, we expect issuers to implement good cyber hygiene practices such as instituting detection tools and alerts and setting policies on how to respond to and recover from an attack (see "Cyber Risk In A New Era: Remedy First, Prevent Second," Sept. 17, 2020). If we view an issuer's risk mitigation policies and practices as weaker than industry standards, it could result in a lower rating than that of peers with similar financial metrics that operate with more robust policies.

We view risk management, culture, and oversight as an aspect of governance within our environmental, social, and governance (ESG) credit factors (see "ESG Brief: Cyber Risk Management In U.S. Public Finance," June 28, 2021). Experienced management teams typically implement comprehensive and proactive policies and practices that address evolving risks like cyber security.

Our view of creditworthiness could shift on operational and financial impacts

In the event of a successful cyber attack, S&P Global Ratings would assess the impact to an issuer's credit quality based on the magnitude and type of attack and subsequent financial and operational disruption.

Operational disruption could:

  • Lead to inability to collect rental payments; or
  • Interrupt billing procedures.

Unplanned financial costs could result from:

  • Potential ransomware payments; or
  • Expenditures associated with restoring technology systems.

The financial costs could have an immediate credit impact on an issuer's liquidity. However, in our assessment of creditworthiness, we look at whether financial buffers are available, such as cyber insurance, other forms of liquidity, or even dedicated reserves. In addition, prolonged inability to restore operations, effectively manage communication with stakeholders, or limit the loss of sensitive data, could result in reputational damage if third parties and other stakeholders lose confidence in management's leadership and ability to effectively manage difficult situations.


The Changing Dynamic Of The Cyber Risk Insurance Market

As the risk of cyber incidents increases, so does the demand for and cost of cyber insurance. Insurance providers can provide key services such as IT expertise, crisis management, and data recovery. However, with rising premiums and other investment and training requirements, some issuers are weighing the option of forgoing insurance for other risk management solutions (see "U.S. Public Finance Issuers Face Challenges In An Evolving Cyber Insurance Market," Oct. 3, 2023).

Although cyber insurance is often a critical risk mitigant, an issuer might use other elements in its cyber risk management strategy to guard against cyber incidents. These elements could include rapid detection, comprehensive training, strong IT asset management, and cyber risk pools. Some U.S. affordable housing issuers, as well as many local governments, have been turning to cyber risk pools to replace traditional private market insurance, which has become increasingly expensive and difficult to obtain. These pools allow issuers to combine their money to create a fund that will serve as a source for distribution of claims, managed by a third party. Cyber risk pools are similar to traditional insurance with annual premiums, coverage limits, deductibles and business interruption, and data recovery insurance (see "U.S. Local Governments Are Turning To Cyber Risk Pools For Savings And Security Benefits," March 14, 2024).

Vigilance Is Critical

Despite issuers expanding their efforts to protect against cyber attacks by boosting training, replacing IT infrastructure, and implementing other risk mitigants, cyber attacks are becoming more sophisticated and exposing issuers' vulnerabilities. An issuer's ability to monitor and adjust risk management practices to evolve with changing threats illustrates one way management can demonstrate strong governance that we incorporate into our assessment of creditworthiness. Absent these efforts, there could be negative credit implications from weaker financial positions or management and governance, or transparency issues should cyber attacks lead to an inability to provide certain information we consider in our analysis.

This report does not constitute a rating action.

Primary Credit Analysts:Jessica L Pabst, Englewood + 1 (303) 721 4549;
Shirley Flores, New York (646) 831-2467;
Secondary Contacts:David Greenblatt, New York + 1 (212) 438 1383;
Caroline E West, Chicago + 1 (312) 233 7047;
Nora G Wittstruck, New York + (212) 438-8589;

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, (free of charge), and (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at


Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in