Key Takeaways
- For public finance issuers, their public nature, limited resources, and increasing focus on disruptors, such as COVID-19, wildfires, hurricanes, and social protests, make them inviting targets for cybercriminal attacks.
- Geopolitical tensions can pose direct cyber risks to U.S. public finance issuers.
- Management teams need to remain cyber vigilant even while addressing other risks.
- Cyber breaches pose several risks. These include the loss of financial assets, infrastructure and organizational disruptions, as well as the erosion of public trust.
The increasing sophistication of cybercriminals continues to make cybersecurity a greater focus of risk mitigation in public finance. Along with all the other exogenous risks facing rated entities in 2020, cyberattacks continue to grab headlines, as seen recently with attacks on the state of Minnesota; the city of Hartford, Conn.; numerous Texas school districts; and health care and higher education institutions on the front lines of the pandemic. Even as issuers become better prepared and more nimble, the threat from cyberattacks is increasing.
Municipal entities and public enterprises are built on a foundation of trust and transparency with their constituencies: budgets are approved in public; taxes and other revenues are collected; and constituents rely on services being delivered. Cyber breaches can not only lead to financial losses and the misuse of information, but any service disruptions they cause also erode the inherent trust and credibility of the affected organizations. Cyber threats are common within the municipal sector, but we have observed that disruptive events--whether social, environmental, or governmental--provide additional opportunity for breaches and further contribute to this risk.
Their Very Public Nature Makes Municipal Issuers Prime Targets For Cyberattacks
Global pandemics, periods of social or political tension, and natural disasters can all be exploited by cybercriminals while a management team is focused elsewhere. Increased interest from hostile actors, including international players, who might disagree with specific government policies, could be partially predicated on the fact that municipal institutions are public, which often leads to information being more freely available than that of corporate counterparts. In addition, given the service mission and base of many municipal issuers, some actions could create an emotional response or be perceived as reasons to attack. These issues, coupled with the finite nature of many issuers' resources, make municipal and public enterprises prime targets for cyberattacks. We consider cyber risk an important emerging risk to consider when evaluating issuer creditworthiness and believe that cyber risk issues will become worse before getting better. With all these factors considered, S&P Global Ratings ranks cybersecurity as a top risk to North American public finance issuers (see "Credit Conditions North America: Potholes On The Road To Recovery," published Sept. 29, 2020, on RatingsDirect).
Hostile actors in the cyberspace realm are always honing their approach, continuously improving tools such as social engineering attacks and communication disruptions. Most of all, these groups keep well apprised of the news and global events because they know the most effective time to strike is when management is already preoccupied elsewhere. Cybercriminals can be more adaptive and flexible in their approach than the existing countermeasures designed to thwart them; therefore, effective and robust cybersecurity policies, regularly preparing for attacks, and good cyber hygiene are critical to safeguard institutions, especially during periods of disruption.
Cyberattacks Are Flourishing As Organizations Struggle To Respond To The Spread Of COVID-19
Responding to disruptive events or disasters has always been one of the most challenging aspects of governance in public finance. Today, this is further exacerbated by the rise in cyberattacks occurring simultaneously with the need to respond to disasters or disruptive events.
The global spread of COVID-19 has been the most significant disruptive event of the past decade. While the pandemic has resulted in tragic human suffering and economic hardship, it has also contributed to an increase in cyber risk for municipal entities. Interpol's secretary general has observed that there has been an "alarming rate of cyberattacks during COVID-19" and that "cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19" ("Cybercrime: COVID-19 Impact," www.interpol.int, Aug. 4, 2020).
The pandemic presents a "perfect storm" scenario for cybercrime to flourish. One of the most effective defenses against the spread of the coronavirus is physical distancing. However, as organizations rapidly shifted to remote work and social-distancing countermeasures, they also had to adapt their technological footprint to cope with an unprecedented new reality. The rapid switch to remote work exposed gaps in the critical infrastructure of many organizations, which cybercriminals have exploited. Criminals have used the rapid increase in virtual business and communication to better mask their efforts to target municipal entities in more nuanced ways.
We have observed an increase in social engineering attacks, which consist mainly of phishing and pretexting (an attempt to trick users into helping attackers evade security controls), opening the cyber door for criminals to carry out ransomware infections, invoice fraud, and other attacks that can cost substantial amounts of cash at a time when public finance budgets are already stressed. The effects of this have been especially acute in the health care sector.
Hospitals Face Two Foes: The Pandemic And Cybercriminals
Health care organizations, due to the financial and personal information they collect, have long been a favorite target for cybercriminals. Public health care institutions rated by S&P Global Ratings have been discussing cyber-protective measure, or good cyber hygiene, with our analysts for years. However, the pandemic has added an extra layer of complexity to cyber challenges in the sector. As hospitals and medical facilities are on the front line of the pandemic and are grappling with the demands of treating complex cases, they are increasingly being targeted by cybercriminals who recognize that such institutions cannot afford to be locked out of their systems at this time, and would most likely pay ransoms--posing a risk to their already finite finances.
Although this problem has been most pronounced in the health care sector since the start of the pandemic, the same trend has made itself felt in the other municipal government sectors. Nefarious cyber actors depend on the assumption that while senior management is navigating the realities of tailoring its business operations around the pandemic, it will be less prepared and more vulnerable to attack and exploitation.
Natural Disasters Provide Fertile Ground For Cyberattacks
Natural disasters can also expose municipal entities to cyber threats. Hurricanes, earthquakes, and wildfires cause significant disruptions in the flow of information and make conducting business difficult. With senior leadership and staff attempting to manage the disaster response, cybercriminals could step up phishing and pretexting campaigns to gain access to critical systems. During disasters, local governments are contacted by a multitude of governmental, environmental, professional, humanitarian, and charitable organizations offering assistance or services to the affected community. Cybercriminals have become astute at masquerading as representatives of legitimate organizations to fool staff into unknowingly allowing them into their systems. Successful phishing campaigns pose multiple risks, as the resulting loss of data could hamper ongoing efforts to deal with the natural disaster, lead to a loss of public trust in institutions, and ultimately cost much-needed recovery dollars.
We believe that planning and cyber vigilance before a disaster occurs are key to credit stability. Since the nature of cybercrime is constantly evolving, training, preparedness, and employee awareness must also adapt and evolve. With the uptick in the frequency of wildfires and severity of hurricanes, due in part to climate change, coupled with the limited resources of municipal institutions and the continuously growing expertise of cybercriminals, cyber risk stemming from natural disasters could be on the rise.
In Times Of Social Unrest, Online Activists Are Seeking A Platform For Their Views
Another emerging cyber risk to municipal institutions is sustained internet activism that results from periods of social or political tension and unrest. This phenomenon generally affects state and local institutions. In recent months, we have seen a pronounced uptick in cyberattacks and hacktivism, mostly centered on the divisive political mood of the nation and the discourse about race and police tactics in the wake of the death of George Floyd in Minneapolis. Street protests and unrest have been accompanied by a slew of online activism, which has sometimes taken the form of cyberattacks. These attacks are generally perpetrated by ideologically motivated groups of hackers. The goal of hacktivism is to use techniques, generally in the form of distributed denial of service (DDoS) or redirecting type attacks, to avenge a perceived injustice, or expose embarrassing or incriminating materials related to an organization. Incidents in Minneapolis and the State of Minnesota showed that these DDoS attacks are not necessarily financially motivated, but aim to disrupt flows of information when the public might be looking to the entity's website to be better informed about ongoing protests; or to divert users to another webpage to give the attackers a platform for their opinions. Hacktivism can result in a loss of credibility for management and the organization as a whole, leading to the erosion of public trust, which could affect the entity's mission.
The loss of constituent trust is an important risk factor, as diminished public support could weaken or damage the ability of the affected entity to raise the funds needed to rebalance the system, or lead to calls for the removal of management and leadership. Therefore, an organization's response planning should always include transparency in addition to clear methods of communicating with its constituency.
Geopolitical Events Can Lead To Increased Cyber Risk For Local Governments
The use of cyberattacks as an instrument to impair an entity or disrupt operations due to geopolitical tensions poses unique risks to municipal institutions. The FBI has listed cyber as one of its top risks to the nation in 2020 ("Worldwide Threats To The Homeland," www.fbi.gov, Sept. 24, 2020). For a motivated cybercriminal, targeting municipal institutions creates a scenario where risks to the attacker are low and rewards for disruption can be high. In the past, municipal institutions were much more insulated from risks posed by geopolitical conflicts. These days, technological innovation and the efficiencies it creates for municipal institutions have transformed how business is conducted. However, the reliance on technology as a benchmark of critical municipal infrastructure means that local institutions can now be targeted in ways that were not possible in the past. Public finance within the U.S. entities can find themselves affected by geopolitical conflicts where diplomatic tension or conflicts on the other side of the globe could make them targets, either directly or as collateral damage. Geopolitical cyberactivity poses both governmental and social risks for municipal entities. Cyberattacking organizations with political motives might not distinguish between federal, state, or local entities, and could see all three as legitimate targets in conflicts. With public trust as a key component of local government success, targeted disinformation campaigns could harm the social fabric and cause discord, resulting in the loss of constituent confidence. The very visible recent high-profile attacks on major U.S. cities, such as Atlanta, and port facilities, as experienced as the shipping line Maersk was attacked, illustrates the potential for geopolitical events to directly affect the creditworthiness of municipal issuers in the U.S.
Related Research
- Credit Conditions North America: Potholes On The Road To Recovery, Sept. 29, 2020
- Cyber Risk In A New Era: Remedy First, Prevent Second, Sept. 17, 2020
- U.S. Public Finance Issuers Must be Nimble to Fend Off Cyberattacks Or They Could Face Credit Fallout, Feb. 25, 2020
- Cyber Risk Management For U.S. Municipal Utilities Should Be Routine And Requires Vigilance And Flexibility, Feb. 3, 2020
This report does not constitute a rating action.
| Primary Credit Analyst: | Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
| Secondary Contact: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.