This report does not constitute a rating action.
Key Takeaways
- The potential for political interference and economic disruption made rated sovereigns and their critical infrastructure the target of a majority of reported cyber breaches since 2000, according to data analyzed by S&P Global Ratings.
- Recent geopolitical tensions provide new impetus for attacks on sovereigns, including within the scope of hybrid warfare and to cause political unrest.
- Effectively managing sovereigns' cyber risk requires the investment of time and resources to develop public sector defenses that are robust, responsive, and adaptable to evolving threats.
- Currently, we consider it unlikely that a cyber incident might significantly or directly affect the creditworthiness of a sovereign.
Sovereigns, local governments, and state-owned organizations (including critical infrastructure such as electricity and transportation providers) globally accounted for a majority, about 54%, of cyber breaches reported by entities rated by S&P Global Ratings, according to our analysis of almost 25 years of data provided by RiskRecon, a cyber information service (see chart 1).
The figure is notable, yet not surprising. Government entities are a favored target for politically motivated cyber attacks, which, alongside human errors (often from within organizations), are a principal cause of cyber breaches. According to data from the European Repository of Cyber Incidents (EuRepoC), sovereigns (including institutions such as the military and legislative services) were the target of 47% of politically motivated incidents since 2000. That placed them ahead of critical infrastructure, at 41% of such incidents, which likely attract unwanted attention from hackers as a proxy target for sovereigns, which often own the infrastructure.
Chart 1
The frequency of attacks has risen dramatically since 2019. EuRepoC recorded 314 politicized cyber attacks involving sovereigns and 424 attacks on critical infrastructure in 2024, an increase of 3.5x and 13.7x, respectively, compared to 2018. That trend is likely to continue and could intensify. We expect cyber attacks to be driven by geopolitical instability, while wider cyber breaches will also increase amid the ongoing digitalization of government operations and services across the globe.
Sovereigns that fail to take preventive cyber security measures could face the increased likelihood of a disruptive cyber attack that interrupts revenue collection, damages economic activity, and/or heightens internal and external political tensions.
A Pervasive And Growing Threat
Cyber breaches at sovereigns have increased since the start of 2019 resulting in a compound annual growth rate of about 3%, according to RiskRecon data analyzed by S&P Global Ratings (see chart 2). Incidents of breaches spiked notably in 2020, likely due to COVID-19 prompting rapid digitalization by individuals and organizations, and again in 2023, when we believe that cyber attacks related to geopolitical conflicts contributed to a greater number of breaches. The volatility in cyber incidents is also the result of non-political factors, including the availability of new ransomware or a desire to simply cause disruption. Moreover, the data we cite includes only successful cyber breaches that were confirmed by entities rated by S&P Global Ratings.
Chart 2
Attacks aimed at gaining access to a system (or systems) accounted for about 30% of breaches over the 25 years of data we reviewed. That made hacking the most common cause of a cyber breach, according to RiskRecon, ahead of human error, ransomware demands, and malware attacks.
It is not only sovereigns (central government entities and their services) that are at risk. State-owned organizations and infrastructure can be valuable, critical in nature, and politically symbolic. That makes them a potentially attractive target for cyber attacks, including by criminals, but also by hacktivists (who claim political or moral motivation for their actions), and foreign adversaries (either directly or via proxies).
There is evidence of a recent uptick in the number of attacks on critical infrastructure. That appears to be linked to an increase in the conduct of so-called hybrid warfare, which combines traditional kinetic force with unconventional attacks, including cyber attacks. Hybrid warfare has been a feature of recent conflicts, including the Russia-Ukraine war (since 2022) and the latest Israel-Hamas war (since 2023).
Sovereigns' Key Cyber Risks
We consider that sovereigns currently face three key risks from malicious cyber activity:
Political disruption due to interference or misinformation that disrupts voting, influences opinion, or erodes trust in political processes. About 49 countries are likely to hold parliamentary or presidential elections over the remainder of 2025, according to IHS Markit Data. All will face the prospect of a cyber attack that could disrupt or influence the process. Precedents include the misinformation campaign that reported a coup against Chinese President Xi Jinping in 2022 and attacks on Ecuador's overseas voting systems and domestic institutions during its 2023 presidential election.
Disruption that affects trade and economic growth. Cyber attacks that hobble key public infrastructure could directly damage economies and affect businesses and consumer confidence. For example, a 2022 attack on 30 Costa Rican ministries led to short-term disruptions in trade and the declaration of a state of emergency, though it ultimately didn't affect debt service payments and seemed to have no long-term impact on growth.
Disruption to international relations. Cyber attacks deployed as a tool of espionage can have significant effects on international relations, both between perpetrator and target states and between target states and third-party nations (if damage affects trade or payments). Cyber attacks are also an increasingly important part of conflict (and a threat to fragile treaties), as demonstrated by the hybrid wars between Russia and Ukraine, and Israel and Hamas. Both conflicts have provided prominent examples of state-sponsored cyberattacks, notably targeting communications, utilities infrastructure, and transportation systems.
We have previously written about the potential for cyber incidents to affect a sovereign (see "Cyber Risk In A New Era: How Cyber Risk Affects Sovereigns," Oct. 31, 2022) and provide a summary of the potential impacts below (see table 1).
Unlikely But Consequential Credit Risk
We consider it unlikely that a cyber incident could significantly and directly affect the creditworthiness of a sovereign, though the possibility remains if, for example, a catastrophic cyber event delayed a country’s debt service payments. And we note that a severe attack against a sovereign could trigger knock-on effects for corporations, other organizations, and the population (for example, due to regional outages of key services or an interruption to government transfer payments).
We will continue to monitor cyber attacks on the public sector and monitor sovereigns' preparation for, response to, and recovery from cyber incidents, which we consider within our assessment of an entity's governance and could ultimately weigh on our credit analysis (see "Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness," Sept. 24, 2024).
Robust and adaptable cyber preparedness is likely to incorporate regular monitoring of global cyber threats; a program of investment in cyber security technology and talent; a national cyber security strategy that is applied across all layers of national and local government; testing that drives improvement, response, and recovery; and timely adaptation to emerging threats. Cyber security systems also increasingly deploy AI in areas such as attack detection, response, and Security Operations Center (SOC) analytics.
| Sovereign Cyber Attacks' Potential Impact | ||
|---|---|---|
| Institutional | ||
| Cyber attacks with a political agenda could weaken confidence in a country’s institutions and, in a more extreme scenario, contribute to domestic instability or regime change. Low sovereign institutional assessments often signal relatively weak governance, which could correlate with lower cyber preparedness and defenses, and thus higher impact from cyber attacks, in our view. | ||
| Economic | ||
| A systemwide attack across several sectors over a prolonged period that affects trade, the banking system, or other critical infrastructure and services could have repercussions for businesses and households. An attack in one country could also have broader effects across geographies and sectors. For instance, the NotPetya attack in 2017 resulted in global losses exceeding $10 billion (see “Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?,” Feb. 22, 2022). Sovereign perpetrators of cyber attacks may face international sanctions that could affect broader economic activity and their access to international trade and financial markets. | ||
| External | ||
| Incidents that affect the trade of goods and services could weaken current account positions and weigh on international liquidity. A potential attack linked to a central bank could also affect a country’s external liquidity position. | ||
| Fiscal | ||
| Cyber disruptions could directly affect a sovereign’s revenue collection capacity by targeting government tax systems. Spending pressure could result from increased spending on cyber security and from costs related to cyber attacks. Our sovereign criteria focuses on the fiscal position of the general government (including national, regional and local governments, and social security and pension funds). However, cyber attacks on government-related enterprises or key public service entities such as utilities, hospitals, or airports could materialize as contingent liabilities for the government. | ||
| Monetary | ||
| A targeted attack on the country’s central bank or wider banking system could affect monetary policy credibility and reflect weak regulatory supervision and coordination. | ||
| Note: This table first appeared in "Cyber Risk In A New Era: How Cyber Risk Affects Sovereigns," Oct. 31, 2022. Source: S&P Global Ratings. | ||
Writer: Paul Whitfield
Related Research
- Cyber Risk Brief: U.K. Public Sector Is Increasingly Under Threat, Oct. 24, 2024
- Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sept. 24, 2024
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Hacked Off: Australia Strengthens Cyber Security, Dec. 18, 2022
- U.K. Social Housing Providers Set Their Sights On Cyber Risks, Dec. 16, 2022
- Cyber Risk In A New Era: How Cyber Risk Affects Sovereigns, Oct. 31, 2022
- Cyber Risk In A New Era: International Public Finance Is A Target, July 19, 2022
- Cyber Threat Grows As Russia-Ukraine Conflict Persists, May 11, 2022
- Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?, Feb. 22, 202
- Swedish Local Governments Are Holding Up Against Cyber Attacks, Jan. 26, 2022,
IN ADDITION TO THE DISCLAIMERS OTHERWISE STATED HEREIN, THE S&P PARTIES ALSO DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF NONINFRINGEMENT. Further, without limitation, S&P Parties specifically disclaim all representations and warranties that any practice or implementation of this document will not infringe any third-party patents, copyrights, trade secrets, or other rights.
| Primary Contact: | Michelle Keferstein, Frankfurt 49-69-33-999-104; michelle.keferstein@spglobal.com |
| Additional Contacts: | Tiffany Tribbitt, New York 1-212-438-8218; Tiffany.Tribbitt@spglobal.com |
| Roberto H Sifon-arevalo, New York 1-212-438-7358; roberto.sifon-arevalo@spglobal.com | |
| Nora G Wittstruck, New York 212-438-8589; nora.wittstruck@spglobal.com | |
| Paul Alvarez, Richmond 1-2023832104; paul.alvarez@spglobal.com | |
| Martin J Whitworth, London 44-2071766745; martin.whitworth@spglobal.com | |
| Raam Ratnam, CFA, CPA, London 44-20-7176-7462; raam.ratnam@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.