This report does not constitute a rating action.
Key Takeaways
- IT attacks aimed at Swedish local governments (LRGs) have been increasing, but the LRGs and companies they own have so far been able to fend them off.
- We don't believe such incidents are likely to limit LRGs' ability to raise financing and honor their debt obligations, since most treasury activity takes place through independent external systems.
- Nonetheless, if a cyberattack were to hamper LRGs' ability to deliver essential services like health care and infrastructure, the consequences could be costly, particularly if manual workarounds are needed.
Cyber risks are increasingly threatening the operations of all types of organizations, and LRGs are no exception. In Sweden, LRGs obtain financing and service debt through external systems at clearing houses or banks, and access to those is independent from the LRGs' internal IT systems. Revenue collection is also largely dependent on central government systems. That's why S&P Global Ratings is of the view that cyberattacks directed at Swedish LRGs will not prevent the LRGs from funding their operations or repaying debt. What's more, we expect that highly rated local governments would have back-up plans to manage their debt service and liquidity positions in the event of a prolonged system outage.
Recently, there have been several cyberattacks on Swedish municipalities and government-related entities. We believe there may even have been more successful attacks than publicly admitted, alongside hacking attempts stopped by the LRGs' IT security systems. Ransomware infections have locked certain municipalities out of their internal systems, whereas denial-of-service attacks brought systems down temporarily without a data breach. With those attacks came lost access to databases and inability to pay salaries or invoices, requiring weeks of work to get systems up and running again. Such situations could have huge implications, for instance, if health services cannot access medical journals and schedules, restricting their ability to efficiently take care of patients.
We expect the frequency of cyberattacks, including on municipal-owned companies, will rise as LRGs' operations become more dependent on IT systems, increasing the need for enhanced cyber security. Generally, the number of IT attacks that have credit relevance has gone up in recent years across the globe. Most rating actions stemming from cyber risks follow attacks on specific entities that resulted in a meaningful balance-sheet event, business disruption, or risk of lasting reputation damage (see "Cyber | Are Credit Markets Ready For a Systemwide Attack?" Published Dec. 1, 2021, on RatingsDirect).
Although we see a low likelihood of Swedish LRGs defaulting on debt as a direct result of an IT attack, a system lockout or outage, combined with a lack of contingency plans to carry out crucial operations, could heighten credit risks. For instance, cross-default clauses in the documentation for a municipality's debt may apply. Financial risks would also depend on how long systems are offline, since the volume of transactions and payment information would make manual processing difficult. Contingent liabilities stemming from IT breaches are difficult to gauge. However, we believe the direct costs would have a limited impact on local governments' margins in most cases, since rectifying the situation would lead to only a few weeks of increased overtime pay and/or added consultancy fees.
In our view, Swedish local governments already have advanced digital capabilities. This ensures a certain degree of cyber security but also poses a threat because the LRGs' operations rely on IT systems to function properly. We also see a wide range of preparedness levels in the sector and see the potential for benefits of scale when putting security systems in place. As the threat of IT attacks becomes more prominent, cyber preparedness could influence our view of municipalities' management. That said, the Swedish Association of Local Authorities and Regions has not set common best practice standards for the sector, although LRGs are encouraged to increase efforts to neutralize cyber risk.
Overall, we expect costs associated with cyber security to expand the sector's cost base as IT risks evolve and LRGs find themselves having to install more complex systems to manage them. In our view, the sector is already keenly aware of these risks and has redoubled efforts to mitigate them, including putting training and new technology in place. Given the size of the municipal groups and their robust balance sheets, the related permanent increase in IT costs is unlikely to have a material impact on budgetary performance.
Primary Credit Analysts: | Dennis Nilsson, Stockholm + 46 84 40 5354; dennis.nilsson@spglobal.com |
Carl Nyrerod, Stockholm + 46 84 40 5919; carl.nyrerod@spglobal.com | |
Secondary Contacts: | Erik A Karlsson, Stockholm + 46(0)84405924; erik.karlsson@spglobal.com |
Linus Bladlund, Stockholm + 46-8-440-5356; linus.bladlund@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.