articles Ratings /ratings/en/research/articles/220719-cyber-risk-in-a-new-era-international-public-finance-is-a-target-12437828 content esgSubNav
In This List
COMMENTS

Cyber Risk In A New Era: International Public Finance Is A Target

COMMENTS

Instant Insights: Key Takeaways From Our Research

COMMENTS

Central And Eastern Europe Sovereign Rating Outlook 2025: Now More Complicated

COMMENTS

Credit FAQ: Sheinbaum's Agenda And Looming Changes In U.S. And Mexico Relations

COMMENTS

Credit FAQ: Will Argentina's Economic Adjustment Be Different This Time?


Cyber Risk In A New Era: International Public Finance Is A Target

This report does not constitute a rating action.

IPF entities' exposure to cyber risks, and the frequency with which they have suffered attacks, has increased significantly since the pandemic, driven by increased digitalization of internal systems for remote working and growth in online services.

The size of the overhaul was magnified by the public sector's relative lack of IT investment before 2020, particularly compared with the corporate sector. That meant digitalization required substantial new investment, yet IPF entities--which include non-U.S. local and regional governments (LRGs), social housing providers, educational services, and infrastructure entities--often received little funding from central governments to establish or enhance their cyber security systems. We believe this has left the sector with generally weak cyber security infrastructure. That, coupled with its increased digital presence and access to often sensitive information, makes it a prime target for hackers, and leaves IPF entities especially vulnerable to financial and reputational damage from cyber crime.

The list of incidents is growing. In May 2022, the Austrian state of Carinthia was targeted with "Black Cat" ransomware, resulting in the theft of sensitive information and a massive outage of government services. In June 2022, the IT systems of utility providers, transportation companies, and housing associations in the German cities of Frankfurt, Mainz, and Darmstadt were damaged by an attack. And in the same month, the U.K.'s largest social housing provider, Clarion Housing Association, fell victim to hackers that disrupted email servers and internal IT systems.

Cyber Attacks' Twin Threat To IPF Credit Quality

A successful cyber attack can have both immediate and long-term effects on an IPF entity's operations and credit quality. In the immediate aftermath of an attack operations may be disrupted, while revenues from electronic services could decline or cease--with consequences for the entity's financial position.

Over the longer term, we consider the most significant risk to be reputational damage, particularly as many entities store sensitive information, including addresses, bank accounts, and tax data. A breach involving that data could also expose an issuer to regulation and litigation costs, possibly resulting in long-term liquidity issues and increased debt.

An entity that fails to respond to, or recover from, a cyber attack could further suffer reduced access to lenders or debt markets. We consider this a significant risk, particularly for entities with small operating balances, low liquidity levels, and already limited access to capital markets. We do not consider the risk that an attack could hinder timely and full payment of debts to be significant as it would require third-party systems at clearing houses and banks to be affected.

Incorporating Cyber Risk In IPF Ratings

We believe that embedding cyber risk management in a public entity's wider risk assessment is key to reducing the risk of a successful cyber attack and to minimizing damage should such an attack happen. We assess an IPF issuer's cyber preparedness based on principles similar to those set out in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and by the International Organization for Standardization (ISO 27001), and the Center for Internet Security (CIS).

Chart 1

image
  • Prepare: We expect public sector entities to have deep knowledge of their IT and business environments, understand the resources required to support critical functions, and the cyber risks they face. This includes an assessment of physical and digital assets, and notably sensitive data that may have special legal protection--such as social security numbers. We anticipate a public sector entity will have in place a cybersecurity strategy that is part of a broader risk management framework, which identifies and tracks cyber threats, addresses key risks, and constantly monitors and tests security systems. We also seek to understand the extent to which an entity protects critical information using safeguards such as firewalls, access control management, and staff training.
  • Respond: We expect a public sector entity to have a detailed incident response plan that is tested frequently and which includes a communication strategy. Security systems that are capable of quickly detecting and responding to a cyber incident are preferable as they help limit the damage and cost of an attack. Systems should also be subject to constant monitoring and improvement. In the event of an attack, an issuer should be able to isolate affected systems, while maintaining essential daily operations. Our analysis also considers an issuer's ability to maintain timely debt service payments.
  • Recover: A public sector entity's resilience planning should be regularly tested, revised, and optimized. We expect this will include the ability to restore data affected by an attack, to reconfigure damaged systems so they can be used, and the means to regain access to compromised systems. We consider communication with stakeholders to also be a key element of a recovery system.

Cyber Risks At LRGs

We view cyber readiness as part of an LRG's financial management responsibilities and expect management teams to include cyber risk in their wider risk assessment and planning. This includes establishing a cyber security strategy, building the required infrastructure, and monitoring cyber defenses and resilience.

Cyber risk preparedness is thus part of our assessment of an entity's financial management, alongside other factors such as political and managerial strength, financial planning, liquidity, debt, and contingent liabilities management.

An LRG's credit quality can be both immediately damaged by a cyber attack and suffer longer term damage from the necessity for increased IT investment and an increase in insurance premiums. Any of these could result in a greater debt burden and weaker liquidity and, dependent on the overall impact, lead us to reassess our view of a company's credit quality, in line with our criteria.

An attack could disrupt liquidity and revenue streams if an LRG is unable to accept payments or deliver services, and result in financial losses both directly and indirectly, due to recovery, regulatory, and litigation costs. We thus consider the LRG's liquidity, and its ability to access liquid assets, as important factors in our resilience assessment, particularly considering that an issuer may find it difficult to quickly raise new debt following an attack.

We recognize that a cyber attack could affect an LRG's ability to service its debts on time and in full, which could lead to a (technical) default, though we consider this scenario unlikely--given that an attack would need to disrupt both the LRG and external service providers, such as clearing houses and banks.

Some LRGs are notably exposed to government-related entities (GREs) due to their reliance on transportation and utility services provided by the latter. Outages in these services, due to a cyber incident, can feed through as a cost to an LRG, which may need to support its GRE. This could weigh on the GRE's budget, and result in the LRG's contingent liabilities increasing over the medium-term.

Chart 2

image

Clicks And Mortar--Cyber Risk In Public And Social Housing

We assess cyber risk at public and non-profit social housing providers using similar criteria to that of other public sector enterprises. Our assessment of housing providers' management and governance is informed by the issuer's cyber risk preparedness, which can lead us to revise an issuer's management score. We consider that management of social housing groups' should have a comprehensive cyber strategy, including monitoring for breaches and system weaknesses. Given housing providers' high public profile, we also consider a comprehensive communication plan to be a crucial element of their cyber preparations.

The competitive nature of the housing sector means that entities are more exposed than other LRGs to the risk of losing market share following a cyber incident. We also believe that housing providers are more exposed than other LRGs to reputational damage from a cyber attack given the potential for financing conditions to deteriorate due to a loss of investor trust. That could prove a substantial post cyber incident cost, in addition to spending related to restructuring, IT services, litigation, and fines.

Chart 3

image

We understand that most public sector entities use their own balance sheets to fund IT infrastructure, and other cyber-related investments, and in most cases don't receive additional support from central governments (or other state owners). This provides limited leeway for LRGs to significantly increase IT-related investment. Nonetheless, we expect an increase in cyber security spending, notably considering the increased cyber threat due to the Russia-Ukraine conflict (see "Cyber Threat Grows As Russia-Ukraine Conflict Persists," published May 11, 2021).

Increased Threat Equals Increased Funding

We believe central governments will increase cyber-related investment in the public sector, and governments have already announced new, or greater, spending on cyber security, which will feed through to LRGs and other public entities.

We consider this an important and positive development, especially given increased demand for digitalization due to home working. We will continue to monitor public sector spending on cyber security to see how it translates into cyber preparedness for our rated entities.

Our experience is that IPF entities operating in supportive environments usually outperform national averages in terms of cyber security. For this to be the case, though, countries typically need a legal framework for dealing with cybercrime, computer emergency response teams (known as CERTs), a national cybersecurity strategy, and working groups whose role is to enhance cyber security--all of which take time to establish and become fully functional. Also, the cyber preparedness of entities within a single country often differs and is unlikely to change without major state investment.

We believe that disruption from cyber attacks could slow digitalization of the public sector, compared with the private sector, where competitive pressures encourage investment in online services and automation. At the same time, relatively simple measures, including staff training, can improve cyber security, helping public sector entities to minimize the cost and disruption of a cyber attack--85% of data breaches are the result of human error, according to the "Data Breach Investigations Report," by telecommunications company Verizon.

The Role, And Difficulties, Of Cyber Insurance

Cyber insurance can mitigate cyber attack risk, though we recognize issues relating to increasing premiums and the scope of coverage are problematic for public sector issuers.

Moreover, insurance providers often conduct technical reviews before accepting clients. Meeting the requirements for insurance, such as multi-factor-authentication, encryption, and intrusion assessments, can increase insurance costs further--though some entities consider the evaluations provide a means to test their systems. The challenges of those technical tests and the high premiums for cyber insurance means many rated entities have no, or insufficient, cover.

We have watched with interest the emergence of alternatives to traditional insurance. For example, some municipalities in Canada and U.K. councils have flagged plans to establish cyber-related funds to provide liquidity access in the event of a cyber attack. Britain's Gloucester City Council received £250,000 ($298,626) from the Government and Local Government Association following a malware attack in December 2021, and it created a reserve of £380,000 to help pay for the longer-term costs of the attack. We expect other entities will build liquidity reserves as part of their cyber preparation planning.

Related Research

Primary Credit Analyst:Michelle Keferstein, Frankfurt (49) 69-33-999-104;
michelle.keferstein@spglobal.com
Secondary Contacts:Felix Ejgel, London + 44 20 7176 6780;
felix.ejgel@spglobal.com
Tiffany Tribbitt, New York + 1 (212) 438 8218;
Tiffany.Tribbitt@spglobal.com
Nik Khakee, New York + 1 (212) 438 2473;
nik.khakee@spglobal.com
Additional Contacts:Hector Cedano, CFA, Toronto + 1 (416) 507 2536;
hector.cedano@spglobal.com
Tim Chow, London +44 2071760684;
tim.chow@spglobal.com
Omar A De la Torre Ponce De Leon, Mexico City + 52 55 5081 2870;
omar.delatorre@spglobal.com
Zahabia S Gupta, Dubai (971) 4-372-7154;
zahabia.gupta@spglobal.com
Dennis Nilsson, Stockholm + 46 84 40 5354;
dennis.nilsson@spglobal.com
Sabrina J Rivers, New York + 1 (212) 438 1437;
sabrina.rivers@spglobal.com
Hugo Soubrier, Paris +33 1 40 75 25 79;
hugo.soubrier@spglobal.com
Patricio E Vimberg, Mexico City + 54 11 4891 2132;
patricio.vimberg@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in