Key Takeaways
- Public sector entities can best combat cyber risks by sharing information, collaborating, and pooling resources, industry experts told an S&P Global Ratings conference.
- The sector should also assess cyber risk exposure as part of their selection process of third-party vendors .
- Companies can minimize potential damage from a cyber security breach by building resistance into their operations, panelists said.
Information sharing, collaboration, and utilization of pooled resources are key tools in securing schools, utilities, and other public entities against malicious cyber actors, some of which are now operating at an industrial scale, cyber experts told S&P Global Ratings' latest U.S. Public Finance Credit Spotlight event, "U.S. Public Finance: Cyber Risk Seminar." A link to the replay is available here.
The virtual conference focused on digital risks to the U.S. public sector, and included representatives from government and organizations that support public entities' cybersecurity efforts.
"We often talk about cyber as a team sport," said Kiersten E. Todt, chief of staff at the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security. "No entity can protect itself on its own. That is why our engagement with industry is so critical, because we learn from what industry is doing, but importantly the government also has real-time intelligence…that it can share."
Geoff Buswick, managing director and government sector lead in U.S. Public Finance at S&P Global Ratings, said he believed CISA played a positive role in promoting cybersecurity awareness and combatting cyberattacks, notably through its recently established "Shields Up" cyber-threat alert system.
The conference covered subjects ranging from the importance of systematic assessment of cyber risks, to the need for operational resilience to be built into systems to minimize damage from a security breach, and the opportunity for public entities to benefit from cyber security networks such as the Information Sharing and Analysis Centers, known as ISACs.
Frameworks And Support Networks
Participants, who included cyber experts working in and with the U.S. Public Finance sector, offered a sobering assessment of the scope of cyber threats, including the industrialization of ransomware operations, warnings that supply chains are only as strong as their weakest cybersecurity link, and an acceptance that no cyber defense is 100% secure.
"The golden rule is, if you [believe you] haven't been compromised, then you just haven't worked out where you have been compromised," said Bob Schwarm, director of Information Systems, The Metropolitan District, adding that utility operators faced unique cyber security challenges. (For further information see also "Cyber Risk In A New Era: U.S. Utilities Are Cyber Targets And Need To Plan Accordingly", published Nov. 3, 2021).
The panelists said that they considered cyber security frameworks and support networks were important resources for constructing and maintaining cyber defenses. "Having a framework forces organizations to really think about what their strategy is, how it is funded, what personnel they have, what capabilities they have, and it helps answer questions about what they don't know, and drives planning," said Josh Moulin, senior vice president of Operations and Security Service at the Center for Internet Security.
Panelists also said they believe public sector institutions should include cyber risk assessments when selecting third-party vendors, and cooperate with their chosen vendors to mitigate risk. "Cyber is a team sport, and sharing is caring," said Jeremy Wilson, deputy chief information security officer, Security Operations, State of Texas Department of Information Resources (for further details see also "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance", published Oct. 25, 2021).
S&P Global Ratings includes cyber security in its analysis by assessing how issuers incorporate cyber risks into their overall risk management.
The U.S. Public Finance Credit Spotlight conference was part of a series of events and articles by S&P Global Ratings focusing on how cyber risks affect credit analysis. Other events in that series include "Cyber Risk: Learning from the Russia-Ukraine Conflict", held on April 28, 2022, and our Corporate Ratings team's "Cyber Spotlight: Cyber Risk", held on June 15, 2022. Replays of all the events will be available for one year from the date they were held.
Related Research
- ESG Brief: Cyber Risk Management In U.S. Public Finance, June 28, 2021
- Cyber Threat Grows As Russia-Ukraine Conflict Persists, May 11, 2022
Writer: Paul Whitfield
This report does not constitute a rating action.
| Primary Credit Analysts: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
| Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com | |
| Secondary Contact: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.