articles Ratings /ratings/en/research/articles/231024-u-s-k-12-schools-are-a-playground-for-cyber-criminals-12892707 content esgSubNav
In This List
COMMENTS

Cyber Risk Insights: U.S. K-12 Schools Are A Playground For Cyber Criminals

COMMENTS

Table Of Contents: S&P Global Ratings Credit Rating Models

COMMENTS

Five Takeaways From U.S. Public Finance In 2024: Uneven Credit Trends Emerge Amid Rising Uncertainty

COMMENTS

U.S. Not-For-Profit Higher Education Outlook 2025: The Credit Quality Divide Widens

COMMENTS

U.S. Not-For-Profit Acute Health Care 2025 Outlook: Stable But Shaky For Many Amid Uneven Recovery And Regulatory Challenges


Cyber Risk Insights: U.S. K-12 Schools Are A Playground For Cyber Criminals

image

Cyber Attacks: A Growing Threat

For many K-12 public schools education leaders across the nation, top of mind is cyber security and the protection of personal information of students and staff. Cyber incidents have increasingly affected K-12 public schools in rural and urban areas alike, with impacts from these attacks varying from limiting access to networks and data, delaying exams, cancelling school days, and gaining unauthorized access to, and theft of, personal information regarding students and staff. Rating pressure could arise if the cyber incident materially impacts an issuer's financial profile. For example, significant technology investments can be critical after a successful cyber attack, and fund balance and liquidity levels can deteriorate due to a large ransom payment, ongoing attorney and cyber security consultant fees, and costs associated with credit monitoring services for affected parties. Issuers can mitigate potential breaches by routinely practicing good cyber hygiene, which consists of a variety of steps such as requiring ongoing and robust staff training, implementing multi-factor authentication, and protecting sensitive data through encryption and redundancy practices. Furthermore, having a comprehensive risk mitigation plan in place allows K-12 public schools to respond to an attack promptly and thoroughly if a breach does occur. We incorporate our view of an issuer's cyber security preparedness into our assessment of risk management, looking at how an issuer plans for, responds to, and recovers from cyber attacks (for more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance," published June 28, 2021).

Many K-12 public schools operate on limited budgets and financial operating margin due to large state aid revenue reliance, caps on raising local property taxes, and state limits on maximum fund balance they can maintain, which in our view makes them vulnerable to operational and liquidity disruptions. Depending on the extent of the incident, a cyber attack can have longer-term operational and budgetary implications and affect overall financial flexibility and credit strength. The Government Accountability Office reports that recovery time after cyber attacks ranged from two to nine months. Furthermore, cyber security research firm Comparitech found in its 2022 study that education (K-12 and higher education) downtime cost due to a cyber incident is approximately $9.45 billion annually.

According to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), while K-12 public schools have improved their cyber risk mitigation capabilities over time, the sector remains a prime target for cyber crime. In September 2022, CISA issued an advisory that a notorious ransomware group was targeting attacks against educational institutions, specifically K-12 public schools. In addition, the Federal Bureau of Investigation noted that cyber criminals are disproportionately targeting the education sector and has identified the need to address cyber security deficiencies in K-12 public schools. In our discussions with issuers that we rate, we have observed that K-12 public school management teams have significantly increased awareness of cyber security risks, with many integrating cyber risk mitigation strategies into their broader risk management planning.

K-12 Public School Cyber Risk Impact On Credit Quality

Although there have not been any rating impacts on K-12 public school issuers we rate due to cyber events, continued adaptation and risk mitigation remains critical. We expect issuers to manage a changing threat landscape and increased attack surfaces.

While the federal government has long required K-12 public schools to have student privacy and data security controls , the abrupt pivot to remote/hybrid learning, as well as the rapid expansion of one-to-one devices in response to the pandemic, contributed to both exposing existing vulnerabilities and creating new cyber security gaps, leaving many K-12 public schools vulnerable to cyber attacks. As the cyber threat landscape continues to evolve, we expect issuers, both large and small, to adopt systematic and proactive approaches to manage respective cyber security risks.

Limited resources and capacity to manage risks

Increased use of digitization for instruction and storage of sensitive information enhances the importance of cyber security measures. However, many K-12 public schools may lack sufficient budget, personnel, and overall risk mitigation strategies, including incident response planning to enhance data security. A 2023 survey conducted by the Consortium for School Networking found just 16% of districts had full-time network security staff--down from 21% the previous year, with nearly half devoting less than 2% of their IT budgets to security. With limited resources, how issuers deploy their IT funding and integrate cyber preparedness into overall risk management strategies can be important to mitigate potential rating actions following cyber events.

Education Technology And Third-Party Risk

Along with the K-12 public school shift toward cloud-based education technology comes additional risk from third-party vendors who may lack the appropriate cyber security infrastructure and incidence response plans to comprehensively protect student information. There are two types of third-party risk exposure for K-12 public schools--the risk with known vendors with which districts have a signed contract, and third-party applications and vendors that have access to a school's system that the school is unaware of. Both of these types can leave districts open to attacks with far-reaching implications.

A recent example of third-party vendor risk is the Illuminate Education cyber attack that occurred in 2022 and affected more than 1 million students across various states including New York, California, Connecticut, Washington, Oklahoma, and Colorado. Illuminate Education is one of the nation's leading student-tracking software vendors with access to sensitive data that was exposed such as migrant status, descriptions of disabilities, and test scores.

Similarly, in June 2023, the Minnesota Department of Education (MDOE) announced that a contracted third party technology vendor, MOVEit, experienced an extensive cyber attack. The MOVEit breach affected organizations globally, as well as at least 500 other state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations. Sensitive and personal student data was exposed for about 95,000 MDOE students in foster care across the state, including dates of birth and county of foster placement. This was the first reported incident affecting a state educational agency, however similarly and soon after, the Arizona Department of Empowerment Scholarship Account (ESA), program discovered a cyber breach in late July 2023 that compromised thousands of students as well as disability categories; parents were not notified of the breach. ESA is a tax-funded school voucher program that assists students with costs for private school tuition or to purchase home education courses, tutoring, materials, and supplies.

When negotiating contracts, it is important that issuers understand the risks associated with third-party vendors and incorporate them into their risk-management policies to maintain their ability to respond and recover from a cyber attack. For more details see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses for U.S. Public Finance," published Oct. 25 2021 on RatingsDirect.

Increasing Cyber Insurance Costs And Requirements

Within our rated universe, K-12 public schools often have cyber insurance. While maintaining cyber insurance does not directly prevent or mitigate cyber risk, S&P Global Ratings believes it serves as a financial safeguard and can help issuers recover from the financial losses and liabilities associated with a successful attack.

A recent Government Accountability Office report indicates accessibility to cyber insurance is becoming a challenge due to higher premiums and increased requirements for cyber hygiene protocols. The insurance market changed rapidly in response to the increased frequency and severity of cyber attacks that spiked in 2020; insurance costs have skyrocketed annually since 2019 and S&P Global Ratings projects that these increases will continue through 2025 (see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," July 26, 2022). Insurers have adjusted their prices according to increased demand and risk, lowered coverage limits, and adjusted policies requiring higher levels of risk controls, including encrypted data backup, multifactor authentication, data segmentation, and password policies. Such additional requirements generally align with what we view as a stronger risk mitigation framework.

As a result of these changing dynamics, a subsection of K-12 public schools could face operational and/or budgetary constraints with meeting or maintaining the augmented cyber security measures, which may become cost prohibitive for K-12 public schools, resulting in a greater need for strong cyber security preparation and response mitigation measures.

K-12 public school sector: A prime target with rich data

CISA has categorized this sector as being "target rich and cyber poor." For cyber criminals who gain access, these school databases are a treasure trove of personal information that includes personally identifiable information, personal health information, special education and academic records, and payroll and tax records of staff and contract workers, among other valuable data. K-12 public schools have more limited resources relative to other sectors, which makes them more vulnerable as sophistication of threats increase.

The K-12 school sector, and the government sector, can lag behind the private sector in adopting stronger cyber security mitigation measures.

However, K-12 public schools are implementing targeted measures to mitigate cyber risk. The 2022 MS-ISAC report found that 83% of survey respondents had cyber insurance, in addition to 63% respondents reporting having an incident response plan in place. This aligns with our understanding from speaking with K-12 public school management teams about enterprise risk management: The school districts and charter schools we rate tend to have some type of cyber mitigation measures in place, which oftentimes includes regular phish testing and annually required cyber trainings in addition to cyber insurance and can help schools recover from an attack. Unfortunately not all schools may be able to maintain cyber insurance given skyrocketing premiums, which may weaken risk mitigation preparedness in our view.

In our view, the combination of these practices enhances resiliency and could enable such entities to prepare for, respond to, and recover from a cyber incident and mitigate a material financial or operational disruption.

image

Lessons Learned: K-12 Cyber Security Case Studies

Conclusion

image

Prepare. Respond. Recover.   Our approach to understanding cyber risk exposure includes understanding the degree of access controls that are in place, system redundancies, and monitoring processes. Monitoring systems that support early detection is one of the most important strategies to reduce the potential impact of an attack.

Issuer disclosure.   While issuer disclosure is not required at the federal level, and in many cases at the state level, at this time, we view issuer disclosure as extremely important in determining not only the potential risks but also the mitigation measures. These could include drafting response plans for a potential cyber security attack and ensuring those plans are updated and tested regularly with walkthroughs and full-scale exercises.

Increased state action.   States are increasingly taking legislative action to strengthen and formalize cybersecurity support (funding, disclosure requirements, technical support, etc.) for local governments and K-12 public schools. Texas, Florida, and California, for example, have all recently passed a variety of bills to this effect. We expect to see this trend continue across the nation and we view this positively from a credit perspective.

Expanded federal support.   In early August 2023, the White House and the U.S. Department of Education hosted a summit focused on K-12 cyber resilience which included initiatives such as a proposed pilot program providing up to $200 million over three years to increase cyber defenses at schools; the development of coordinating council to serve as a key resource for preparing for, responding to, and recovering from an attack, and a suite of additional guidance and trainings prepared by leading national cyber security organizations (FBI, National Guard Bureau, and CISA). Private companies, including Amazon Web Services, Cloudfare, and Google, have also opted in to assist K-12 public schools with cyber resources, some at no cost. We view this expanded federal support very valuable for schools w limited resources

This report does not constitute a rating action.

Primary Credit Analyst:Krystal Tena, New York + 1 (212) 438-1628;
krystal.tena@spglobal.com
Secondary Contacts:Brian J Marshall, Dallas + 1 (214) 871 1414;
brian.marshall@spglobal.com
Jessica L Wood, Chicago + 1 (312) 233 7004;
jessica.wood@spglobal.com
Avani K Parikh, New York + 1 (212) 438 1133;
avani.parikh@spglobal.com
Charlene P Butterfield, New York + 1 (212) 438 2741;
charlene.butterfield@spglobal.com
Jane H Ridley, Englewood + 1 (303) 721 4487;
jane.ridley@spglobal.com
Geoffrey E Buswick, Boston + 1 (617) 530 8311;
geoffrey.buswick@spglobal.com
Research Contributor:Sue T Ryu, Chicago +1 3122337041;
sue.ryu@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in