This report does not constitute a rating action.
Key Takeaways
- S&P Global Ratings expects cyberattacks could become more frequent with U.K. social housing providers (SHPs) due to increased digitalization of key services since the COVID-19 pandemic.
- So far, cyberattacks have not had a material credit impact on any entity we rate, but we expect that financial and reputational consequences of an attack could be significant for SHPs.
- We expect more-frequent cyberattacks would lead to SHPs' investing more in IT infrastructure and additional provisions to cover potential losses, including regulatory fines following attacks.
- Damage to SHPs' reputations would also negatively influence investors' attitudes, and affecting borrowing plans, in our view.
In dealing with one imminent risk, U.K. social housing providers (SHPs) have exposed themselves to another. Cyber risk has increased in recent years for SHPs, particularly since the COVID-19 pandemic's outbreak, mainly because of increased digitalization efforts of internal systems and growth in online services. The sector is a target for cyberattacks because they collect confidential information from tenants in offering an important public service. SHPs are essential in providing safe and well-maintained homes for many people in the country, so a serious disruption could have significant social impacts. While no cyberattack has substantially affected our rated SHPs so far, we think the financial impacts could be considerable, especially if disruption is prolonged and existing IT infrastructure and policies cannot mitigate this. In addition, regulators could impose heavy fines. We think that a significant cyberattack would tarnish an SHP's public image and become a dealbreaker in debt issuances, given that investors are paying more attention to social responsibilities than before.
Social Housing Providers Are Likely Targets
In our view, U.K. SHPs, both large and small, have increasingly become targets of cyberattacks. Clarion Housing Group (A-/Stable/--), one of the largest SHPs in the U.K., became a victim recently. We understand that the attack targeted Clarion's IT infrastructure, causing some of its emails, IT systems, and phone lines to fail. The group has restored many of the affected services. However, while its main repository, in which personal data is stored, was not accessed, it is still investigating the extent to which data stored elsewhere might have been affected. Meanwhile, its reported operating surplus is likely to weaken via additional provisions against rent arrears linked to this incident, although we do not see the financial impact as being an immediate credit risk. Other regional and local SHPs were not immune. Red Kite Community Housing (not rated), an SHP based in Wycombe, lost almost £1 million after cyber criminals mimicked the domain and emailed details of the group's suppliers in 2019. As a result, the Regulator of Social Housing (RSH) revised its governance grade to G2 from G1. The grading system assesses whether a SHP meets the regulator's governance requirements, on a scale from G1 to G4. G1 and G2 are compliant grades.
Similar to many private sector corporations, SHPs in the U.K. increasingly rely on IT systems to provide services to tenants. We think that the pandemic was a catalyst in making online platforms a more-dominant tool for tenant requests when face-to-face meetings were difficult. SHPs also rely on digital tools more to carry out daily operations, including rent collection and tenancy support services. Also, with the increased remote working, critical systems that monitor or control assets and processes are becoming increasingly connected to externally facing technology, streamlining business processes and enabling SHPs to provide better services. This is propelling higher efficiency across the sector. However, new technologies, especially those that deploy business intelligence based on residents' data, offer cyber criminals more targets.
Partners with the sector are not immune to the issue. For instance, Plentific, a company that runs a repairs platform for large London SHPs, such as L&Q, Notting Hill Genesis, and Peabody, experienced a cyberattack that indirectly affected SHPs' operations. Local councils, which manages housing benefits and planning, are also targets.
The Sector Is Gearing Up To Tackle The Threat
Many U.K. SHPs are working on stepping up their IT security. While we usually see relevant policies and measures such as business continuity plan, penetration testing, some have gone beyond this by setting up 24/7 monitoring systems, conducting third-party reviews or more trainings to their employees to raise the awareness. Cyber Essentials Accreditation, a government-backed scheme that certifies an organization's defense against cyberattacks, is becoming more popular in the sector. The accreditation ensures an SHP has basic technical controls, such as firewalls, secure configuration, user access controls, malware protection, and security update management. Some SHPs are further pursuing standards, including Cyber Essentials Plus Accreditation and International Organization for Standardization 27001, which covers information security management systems. We consider the sector's increasing effort to strengthen IT infrastructure credit positive that would somewhat mitigate the rising risk. While it is difficult to quantify the financial impact, some providers account for cyber security breaches in stress testing.
We understand that cyber insurance is common in the sector, but it's getting more expensive. Globally, much of the increase in price has followed a supply and demand mismatch and insurers' cautiousness in taking on new risk (for more information, see "Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain," published Aug. 24, 2022 on RatingsDirect). This also applies to U.K. SHPs; indeed, some SHPs have seen the costs of cyber insurance increase.
We understand that most SHPs use their own resources to fund IT infrastructure and other cyber-related investment, with limited help from government grants. The U.K. government is increasing its IT-related investment, such as with this year's National Cyber Security Strategy 2022 that includes £2.6 billion in cyber and legacy IT over the next three years. This exceeds £1.9 billion over five years committed to the previous strategy from 2016. Although whether the funding will benefit SHPs is unclear, we see it is a positive sign of the government's financial commitment to overall cyber security.
Incorporating Cyber Risk In U.K. Social Housing Ratings
We embed issuers' cyber risk preparedness in our assessment of U.K. SHPs' management and governance assessment. In our view, SHPs should have a comprehensive cyber strategy to mitigate risks with sufficient monitoring and IT infrastructure. Lack of a strategy could imply weak risk management. We also consider the financial impacts of cyber risk in our financial risk profile assessment.
Chart 2
Cyberattacks Could Be Costly
Cyberattacks could weaken financial performance, the risks of which we assess in the financial risk profile under our rating methodology. Incidents can result in extended service disruptions for SHPs. At the same time, the activation of the emergency actions might face hiccups, prolonging disruption to operations--which we have seen in some recent incidents. On top of that, key treasury functions, such as rent collection and payment to suppliers, might not resume in a timely manner.
The U.K. regulator has the power to fine SHPs due to data breaches. The related regulatory bodies in England include the Information Commissioner's Office (ICO) and RSH. ICO could place a huge fine of up to £17.5 million, or 4% of an SHP's revenue if it finds breaches are significant. Also, if an organization fails to notify the ICO of notifiable breaches, a fine of up to £8.7 million, or 2% of revenue, could follow. The ICO has other corrective powers. Large SHPs would have more financial capacity to pay any fines but are more exposed to cyber risks, given their large database are more attractive to hackers. Conversely, small SHPs could be less likely to be a target but would be more susceptible to any fines. Moreover, SHPs already under financial stress might find themselves hard-pressed to improve IT systems and would become more vulnerable to cyber incidents, unable to absorb the resulting potential losses.
Although we have not seen a cyberattack cause a data breach in the sector in recent years, breaches due to SHPs' human errors are a good proxy for the potential repercussions on financial performance. Watford Community Housing mistakenly sent out an email that contained personal information about customers in 2020. This led to a review from the ICO, which provided recommendations to prevent a similar incident. Also, the group made provisions to cover costs including cyber security coverage being provided to all affected customers, investigatory or remedial costs, and other associated regulatory and legal costs.
Reputations Are At Risk
We think that major cyber incidents could cause serious reputational damage to SHPs. Regaining tenant trust will take a long time following their personal information becoming compromised. We believe this could result in a potential loss of investor trust in SHPs' operations. Also, the U.K. social housing sector has a strong element of social responsibility that has attracted sustainability-linked investments in recent years. Cyberattacks could damage a SHP's reputation and cast doubt on its social role, which would put off investors looking at new issuances.
In our view, cyber security has become a growing concern to social housing regulators. In England, RSH has stressed that cyber is a key sector risk. Its introduction of tenant satisfaction measures from April 2023 could further stress providers in handling customer satisfaction if there are any disrupting security incidents.
Although we understand that the sector is increasing efforts in IT infrastructure, cyberattacks are becoming more sophisticated, constantly seeking ways to exploit system or human vulnerabilities. As we expect that financial and reputational consequences could be more significant for cyberattacks, we think that cyber security will be increasingly important in SHPs' risk management. Those that do not manage the risk well, via strong planning and management, could see significant negative credit implications.
Related Research
- Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain, Aug. 24, 2022
- Cyber Risk In A New Era: International Public Finance Is A Target, July 19, 2022
- Cyber Threat Grows As Russia-Ukraine Conflict Persists, May 11, 2022
- Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine? Feb. 22, 2022
- Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity, July 14, 2021
Primary Credit Analyst: | Tim Chow, London +44 2071760684; tim.chow@spglobal.com |
Secondary Contacts: | Felix Ejgel, London + 44 20 7176 6780; felix.ejgel@spglobal.com |
Eileen X Zhang, CFA, London + 44 20 7176 7105; eileen.zhang@spglobal.com | |
Michelle Keferstein, Frankfurt (49) 69-33-999-104; michelle.keferstein@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.