Key Takeaways
- Challenging macroeconomic factors such as rising inflation may leave many U.S. public finance issuers with fewer resources to maintain adequate cyber security protections, potentially raising their vulnerability to attacks.
- Substantive and rising cyber security insurance premiums, coupled with additional security requirements, will further challenge issuers' ability to maintain coverage during a recession.
- Recessionary pressures may accelerate reductions in cyber security insurance coverage, compounding waning coverage levels due to high claims volumes in the past few years.
Cyber attacks against U.S. entities, including public finance issuers, continue to increase, with the number nearly doubling in 2020. While maintaining cyber insurance does not directly prevent or mitigate cyber risk, S&P Global Ratings believes it serves as a financial safeguard and can help issuers recover from the financial losses and liabilities associated with a successful attack. Amid the increased attacks, insurers have increased their premiums and requirements, potentially pressuring issuers' resources. Adding pressure to the situation is the potential for recession: S&P Global Ratings Economic anticipates a very shallow U.S. recession in its baseline forecast, but the recent volatility in the banking sector has added uncertainty regarding the economy's health and inflation is expected to remain high in the near term. With the increasing number of cyber attacks and the growing challenge of maintaining robust cyber protections, credit ratings may be pressured if issuers are unable to sufficiently respond and recover from a cyber attack.
Recession, Rising Costs Could Leave Issuers With Fewer Cyber Security Options
During a recession, growing expenditure costs would likely outpace revenue growth for many issuers, resulting in fewer available resources for cyber security and information technology (IT) departments, making some issuers face the difficult decision of reducing funding and/or staffing for their IT departments. We believe reductions would result in weaker cyber security protection and increase the risk of more impactful cyber attacks in the U.S. public finance (USPF) sector.
The challenging job market coupled with high inflation that has outpaced salary growth, may challenge issuers to keep their IT and cyber security departments fully staffed. And we believe these challenges will only increase considering the high inflation environment, higher compensation available in the private sector versus the public sector, and recession risk. Failure to staff these departments will ultimately result in weaker cyber security protection, which could pressure ratings.
To cut costs during a recession, some issuers may turn to outsourcing for more of their services, including IT and cyber security needs. However, we believe this may introduce issuers to third-party vendor risk, which could increase their vulnerability to cyber attacks if not properly mitigated. We believe issuers will need to understand the risks associated with third-party vendors and incorporate them into their risk-management policies to maintain their ability to respond and recover from a cyber attack. For more information, see the article "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?" published Oct. 25, 2021, on RatingsDirect.
We believe that how an issuer navigates the challenge of maintaining its cyber security protection during a recession will factor into our assessment of management and has the potential to be the deciding factor between maintaining and lowering a rating.
Advancements In AI Could Herald More Sophisticated Attacks
The advent of more advanced artificial intelligence (AI) tools, such as ChatGPT, may make creating malware or other malicious programs easier and could act as a catalyst for more cyber attacks. ChatGPT may also increase the proficiency in creating phishing attacks in the form of more sophisticated and realistic-looking phishing emails. Threat actors would also be able to easily write these phishing attacks in several languages, which would increase the scope of their phishing attacks. Overall, we have seen an increase in the sophistication and frequency of cyber attacks throughout USPF and we expect this trend will continue for the foreseeable future.
Chart 1
We believe increased cyber attacks could escalate both the financial and operational risk for issuers in the public sector and may lead to weaker reserves and worsening credit quality.
Rising Premiums And Declining Coverage Could Lead To Increase In The Use Of Pooled Cyber Insurance Risk Funds
In recent years, we have seen many USPF issuers maintain a certain degree of cyber security insurance. But as recessionary pressures increase with worsening macroeconomic factors, such as historically high inflation, issuers may be forced to reduce their level of cyber protections in place due to rising operational costs, difficulties in maintaining IT and cyber security staff, and rising cyber insurance policy premiums.
As the number of successful cyber attack claims under insurance policies rises, insurers are adjusting their policy offerings to maintain their own fiscal solvency and remain within their risk limits. (Please see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," July 26, 2022.) We believe the trend of insurers reducing the amount of coverage offered under their cyber insurance policies may accelerate and that insurers could even cancel insurance policies held by issuers under a recession scenario.
Compounding this issue is that cyber security insurance premiums have increased annually since 2019, with S&P Global Ratings projecting that these increases will continue through 2025. (See "Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain," published Aug. 24, 2022).
Chart 2
This trend could lead to more issuers having less cyber insurance coverage, potentially resulting in increased financial and operational risk and additional credit risk if not sufficiently mitigated.
Another potential outcome of growing insurance costs is that issuers could turn to pooled cyber insurance risk funds offered at the state or county level. These funds serve as an alternative to private cyber security insurance and could offer a sufficient level of protection while remaining affordable for issuers. We anticipate more issuers will turn to publicly offered cyber security insurance during a recession, which could provide more access and keep coverage affordable. (See "As Threats Rise, U.S. Public Finance Entities Take On Mounting Challenges To Secure The Digital Front Line," published Dec 13, 2022.)
As Cyberattacks Rise In Frequency And Sophistication, Issuers Will Need to Remain Vigilant
S&P Global Ratings would consider it a credit risk if issuers are forced to lower their cyber security insurance coverage or forgo it altogether due to rising insurance premiums and reduced revenues. But it's a double-edged sword, because without insurance, issuers may not be able to effectively respond or recover from a cyberattack. Lack of insurance, if not offset by self-liquidity or other protection measures, would make issuers more vulnerable to significant financial and operational consequences from a successful attack.
We believe issuers will need to be able to adapt quickly to an increasingly harsher economic environment with a potential recession looming and maintain sufficient cybersecurity protections and/or insurance to limit the financial and operational risk that comes with a successful cyber attack. If issuers are not able to respond and recover from a cyber attack, resulting in a material weakening of its financial position or operational ability, then we believe credit ratings could be negatively pressured if left unmitigated.
This report does not constitute a rating action.
| Primary Credit Analyst: | Li Yang, San Francisco + 1 (415) 371 5024; li.yang@spglobal.com |
| Secondary Contacts: | Chase C Ashworth, Englewood + 1 (303) 721 4289; chase.ashworth@spglobal.com |
| Alex Louie, Englewood + 1 (303) 721 4559; alex.louie@spglobal.com | |
| Zev Jarashow, New York; zev.jarashow@spglobal.com | |
| Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com | |
| Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.