Key Takeaways
- Higher education is among the higher-risk industries for cyber crime due to the vast amounts of personal information used for enrollment, philanthropic support, and medical research.
- Although strong credit quality does not make an institution immune to a cyber intrusion, it can mitigate the credit risk related to a potential cyberattack due to stronger management and governance that employ multiple levels of cyber protection and have greater liquidity to buffer a disruption in operations.
- S&P Global Ratings' views cybersecurity as an aspect of U.S. public finance issuers' comprehensive risk-mitigation strategies. We consider risk management and mitigation a governance factor under environmental, social, and governance (ESG).
- Assessing cyber risk in higher education is part of our ongoing surveillance of all of our private and public college and university ratings.
As U.S. colleges and universities welcome millions of students to campus this fall, an overriding concern, beside the need to assure the continued health and safety of students, faculty, and the campus community, is protecting critical data from cyberattacks.
Chart 1
Tellingly, one of the first webinars for the new academic year sponsored by the Chronicle of Higher Education in late August was "How to Recover From a Cyberattack," and another trade publication noted recently that both the incidence and success of cyberattacks in the higher education sphere are on the rise. As seen in chart 2, education and research are thought to have experienced one of the highest, if not the highest, increase in cyberattacks in 2021 compared with other industries.
Chart 2
Why Is Higher Education More Susceptible To Cyberattacks?
As part of its annual surveillance review of more than 450 rated private and public college and universities in the U.S., S&P Global Ratings requests information from issuers about cyber-security preparedness. The responses we have received over the years provide some insights into the fast-moving cyber threats challenging the sector and how these institutions are trying to stay ahead of those who might seek to harm them. Most rated colleges and universities said they have not had a serious data breach, with only 13% of issuers with cyber insurance reporting a serious data breach as a result of an attempted cyberattack. This suggests to us that current policies and practices in effect to mitigate the risk of such an event have helped to thwart most potential threats; however, the increasing number and evolving nature of the attacks demonstrates the need for continuous investment in this area.
Chart 3
Cyber criminals use increasingly sophisticated strategies to launch attacks. In addition, insurers consider higher education a high-risk sector and are requiring increasing levels of mitigation on the part of colleges and universities before they will underwrite a cyber-insurance policy. Furthermore, we understand recent increases on policy renewals have been in the range of 40%-60% of the previous year's premium but in some cases have reached the triple digits. Rating actions due to cyber-security attacks in the higher education sector have been limited so far to revising outlooks to negative, although in almost all of these cases, there were other contributing factors that typically included enrollment declines or weak financial performance. However, as we have seen in the health care, local government, and utilities sectors, given the potential severity of a cyberattack, we anticipate that it probably will not be too long before a negative rating action occurs that is directly attributable to the consequences of a cyberattack on a college or university.
Proactive Management Team Action Is Key To Good Cyber Hygiene
A telling sign that colleges and universities are taking cyber preparedness very seriously is the elevation or creation of a new position within the senior management ranks of many schools, such as a chief information officer (CIO) or vice president for information technology. Although this type of role has been part of the corporate world for quite some time and is usually known as the chief information security officer, the need for such a position in higher education is more pressing now with increasing media attention on cyber matters and broader global cyber-security issues with cyberwarfare often used by governments to gain access to sophisticated research conducted by many leading colleges and universities. In fact, this past June, China accused the U.S. government of a computer break-in that occurred at its Northwestern Polytechnical University and the U.S. government has made similar allegations about inappropriate access of intellectual property by China and Russia. In May 2021, a federal grand jury in San Diego returned an indictment charging four nationals and residents of the People's Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities, and government entities in the U.S. and abroad between 2011 and 2018.
We believe college and university management and governance teams are rising to the challenge of thwarting potential cyber intrusion by adopting policies and practices to assure that if cyberattacks occur, there are clear mitigation strategies in place to enable the institution to continue operating without debilitating effects. For the 13% of rated colleges and universities with cyber insurance responding to our survey that said they had experienced a serious data breach, many noted that the attack, upon subsequent investigation, was due to a third-party service provider that had access to sensitive personal data. For example, the third-party service provider incident cited most frequently in the responses to our higher education surveillance questionnaires was the Blackbaud Inc. ransomware attack that occurred from February through May 2020 and resulted in personally identifiable information of alumni, donors, parents, and friends being obtained by the attackers from the colleges and universities that contracted with the company. Blackbaud is one of the world's largest providers of education administration, fundraising, and financial management software. After the data breach, the institutions had to monitor the unfolding situation and notify those affected to explain what transpired and what the school was doing to limit potential damage to these individuals.
S&P Global Ratings' assessment of a college or university's strategy to prepare for, respond to, and recover from a cyberattack uses principles similar to those set out in the National Institute of Standards & Technology (NIST) framework and by the Center for Internet Security (CIS), among others (chart 4). In our view, the emphasis on prevention, response, and recovery is a key element of an effective cyber-security strategy. Notably, many colleges and universities that responded to our questionnaires indicated they use NIST and other similar frameworks as a central element in their cyber security preparedness plans.
Chart 4
S&P Global Ratings views cyber security as an aspect of U.S. public finance issuers' comprehensive risk-mitigation strategies. We consider risk management and mitigation a governance factor under ESG. In fact, more colleges and universities are telling us that their management teams have recognized cyber security as an identified risk in their enterprise risk management programs and have elevated it in their threat matrices. Management teams also tell us that they have elevated cyber-security preparedness as a key topic for board review. In a number of cases, it has been the boards themselves who have asked management to do a deeper dive on their institution's cyber-security preparedness and recommend additional actions to respond to this growing threat.
One private university recently told us that its board's interest in cyber-security preparedness has increased significantly in the past few years. The board heard presentations from the university's CIO and its internal auditor recently, as well as receiving a report on cyber-security preparedness from an external consultant hired to do a strengths, weaknesses, and threats (SWAT) analysis of the current state of the university's information technology (IT) and related potential vulnerabilities. The board also approved a measure to allocate part of the annual capital budget toward beefing up the university's IT infrastructure.
One key takeaway from our analysis of the responses collected from our questionnaires is that good cyber governance and sufficient liquidity generally lessen the likelihood of a successful cyberattack and its adverse consequences while not eliminating the potential for such an attack. For example, Florida International University (AA/Stable), a well-known public research university in Miami-Dade County, in April 2022 found that some of its data were in the possession of BlackCat, a so-called ransomware-as-a-service group. The university believes its system was not breached and no sensitive information was compromised but it is unsure how the data appeared on BlackCat's website. Another example is Howard University (BBB/Positive) in Washington, D.C., which experienced a ransomware attack in early September 2021 that resulted in it having to cancel online and hybrid classes for several days and shut down its network. In addition, the attack prompted another D.C. institution, Georgetown University, to take additional precautions according to its student newspaper known as The Hoya.
Almost all of the public and private colleges and universities that reported a significant data breach, per their response to our surveillance questionnaires, indicated they had cyber insurance. They also reported that the financial cost to respond to the incident was typically modest. Most public universities, on the other hand, often reported not carrying cyber insurance, perhaps because many, as a direct blended component unit of their associated state, rely upon the state's cyber-security defenses and the state's sovereign immunity legal protection.
S&P Global Ratings continues to assess cyber risks in the higher education sector as part of its regular surveillance, as well as in response to reported incidents. Issuers should be prepared to discuss this topic in their annual surveillance meetings with analysts, or shortly after any significant data breach, including threat identification and response and other risk-mitigation steps the college or university has in place and is currently following.
Related Research
- Cyber Risk In A New Era: The Rocky Road to A Mature Cyber Insurance Market, July 26, 2022
- Cyber Risk In A New Era: Are Third-Party Vendors Unwittingly Cyber Trojan Horses for U.S. Public Finance?, Oct. 25, 2021
- ESG Brief: Cyber Risk Management in U.S. Public Finance, June 28, 2021
- U.S. Higher Education Is Learning To Manage Its Own Risk, Dec. 2, 2019
- For U.S. Municipal Issuers: Proper Governance Can Mitigate The Credit Risks From Cyberattacks, June 3, 2019
This report does not constitute a rating action.
| Primary Credit Analyst: | Ken W Rodgers, New York + 1 (212) 438 2087; ken.rodgers@spglobal.com |
| Secondary Contacts: | Beth Bishop, Chicago +1 3122337141; beth.bishop@spglobal.com |
| Jessica L Wood, Chicago + 1 (312) 233 7004; jessica.wood@spglobal.com | |
| Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com | |
| Research Contributors: | Natalie Nash, Salt Lake City +1 4153715013; natalie.n@spglobal.com |
| Ginger Wodele, New York +1 2124387421; ginger.wodele@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.