Cyber Attacks: A Growing Threat

For many K-12 public schools education leaders across the nation, top of mind is cyber security and the protection of personal information of students and staff. Cyber incidents have increasingly affected K-12 public schools in rural and urban areas alike, with impacts from these attacks varying from limiting access to networks and data, delaying exams, cancelling school days, and gaining unauthorized access to, and theft of, personal information regarding students and staff. Rating pressure could arise if the cyber incident materially impacts an issuer's financial profile. For example, significant technology investments can be critical after a successful cyber attack, and fund balance and liquidity levels can deteriorate due to a large ransom payment, ongoing attorney and cyber security consultant fees, and costs associated with credit monitoring services for affected parties. Issuers can mitigate potential breaches by routinely practicing good cyber hygiene, which consists of a variety of steps such as requiring ongoing and robust staff training, implementing multi-factor authentication, and protecting sensitive data through encryption and redundancy practices. Furthermore, having a comprehensive risk mitigation plan in place allows K-12 public schools to respond to an attack promptly and thoroughly if a breach does occur. We incorporate our view of an issuer's cyber security preparedness into our assessment of risk management, looking at how an issuer plans for, responds to, and recovers from cyber attacks (for more information, see "ESG Brief: Cyber Risk Management In U.S. Public Finance," published June 28, 2021).

Many K-12 public schools operate on limited budgets and financial operating margin due to large state aid revenue reliance, caps on raising local property taxes, and state limits on maximum fund balance they can maintain, which in our view makes them vulnerable to operational and liquidity disruptions. Depending on the extent of the incident, a cyber attack can have longer-term operational and budgetary implications and affect overall financial flexibility and credit strength. The Government Accountability Office reports that recovery time after cyber attacks ranged from two to nine months. Furthermore, cyber security research firm Comparitech found in its 2022 study that education (K-12 and higher education) downtime cost due to a cyber incident is approximately $9.45 billion annually.

According to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), while K-12 public schools have improved their cyber risk mitigation capabilities over time, the sector remains a prime target for cyber crime. In September 2022, CISA issued an advisory that a notorious ransomware group was targeting attacks against educational institutions, specifically K-12 public schools. In addition, the Federal Bureau of Investigation noted that cyber criminals are disproportionately targeting the education sector and has identified the need to address cyber security deficiencies in K-12 public schools. In our discussions with issuers that we rate, we have observed that K-12 public school management teams have significantly increased awareness of cyber security risks, with many integrating cyber risk mitigation strategies into their broader risk management planning.

K-12 Public School Cyber Risk Impact On Credit Quality

Although there have not been any rating impacts on K-12 public school issuers we rate due to cyber events, continued adaptation and risk mitigation remains critical. We expect issuers to manage a changing threat landscape and increased attack surfaces.

While the federal government has long required K-12 public schools to have student privacy and data security controls , the abrupt pivot to remote/hybrid learning, as well as the rapid expansion of one-to-one devices in response to the pandemic, contributed to both exposing existing vulnerabilities and creating new cyber security gaps, leaving many K-12 public schools vulnerable to cyber attacks. As the cyber threat landscape continues to evolve, we expect issuers, both large and small, to adopt systematic and proactive approaches to manage respective cyber security risks.

Limited resources and capacity to manage risks

Increased use of digitization for instruction and storage of sensitive information enhances the importance of cyber security measures. However, many K-12 public schools may lack sufficient budget, personnel, and overall risk mitigation strategies, including incident response planning to enhance data security. A 2023 survey conducted by the Consortium for School Networking found just 16% of districts had full-time network security staff--down from 21% the previous year, with nearly half devoting less than 2% of their IT budgets to security. With limited resources, how issuers deploy their IT funding and integrate cyber preparedness into overall risk management strategies can be important to mitigate potential rating actions following cyber events.

Education Technology And Third-Party Risk

Along with the K-12 public school shift toward cloud-based education technology comes additional risk from third-party vendors who may lack the appropriate cyber security infrastructure and incidence response plans to comprehensively protect student information. There are two types of third-party risk exposure for K-12 public schools--the risk with known vendors with which districts have a signed contract, and third-party applications and vendors that have access to a school's system that the school is unaware of. Both of these types can leave districts open to attacks with far-reaching implications.

A recent example of third-party vendor risk is the Illuminate Education cyber attack that occurred in 2022 and affected more than 1 million students across various states including New York, California, Connecticut, Washington, Oklahoma, and Colorado. Illuminate Education is one of the nation's leading student-tracking software vendors with access to sensitive data that was exposed such as migrant status, descriptions of disabilities, and test scores.

Similarly, in June 2023, the Minnesota Department of Education (MDOE) announced that a contracted third party technology vendor, MOVEit, experienced an extensive cyber attack. The MOVEit breach affected organizations globally, as well as at least 500 other state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations. Sensitive and personal student data was exposed for about 95,000 MDOE students in foster care across the state, including dates of birth and county of foster placement. This was the first reported incident affecting a state educational agency, however similarly and soon after, the Arizona Department of Empowerment Scholarship Account (ESA), program discovered a cyber breach in late July 2023 that compromised thousands of students as well as disability categories; parents were not notified of the breach. ESA is a tax-funded school voucher program that assists students with costs for private school tuition or to purchase home education courses, tutoring, materials, and supplies.

When negotiating contracts, it is important that issuers understand the risks associated with third-party vendors and incorporate them into their risk-management policies to maintain their ability to respond and recover from a cyber attack. For more details see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses for U.S. Public Finance," published Oct. 25 2021 on RatingsDirect.

Increasing Cyber Insurance Costs And Requirements

Within our rated universe, K-12 public schools often have cyber insurance. While maintaining cyber insurance does not directly prevent or mitigate cyber risk, S&P Global Ratings believes it serves as a financial safeguard and can help issuers recover from the financial losses and liabilities associated with a successful attack.

A recent Government Accountability Office report indicates accessibility to cyber insurance is becoming a challenge due to higher premiums and increased requirements for cyber hygiene protocols. The insurance market changed rapidly in response to the increased frequency and severity of cyber attacks that spiked in 2020; insurance costs have skyrocketed annually since 2019 and S&P Global Ratings projects that these increases will continue through 2025 (see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," July 26, 2022). Insurers have adjusted their prices according to increased demand and risk, lowered coverage limits, and adjusted policies requiring higher levels of risk controls, including encrypted data backup, multifactor authentication, data segmentation, and password policies. Such additional requirements generally align with what we view as a stronger risk mitigation framework.

As a result of these changing dynamics, a subsection of K-12 public schools could face operational and/or budgetary constraints with meeting or maintaining the augmented cyber security measures, which may become cost prohibitive for K-12 public schools, resulting in a greater need for strong cyber security preparation and response mitigation measures.

K-12 public school sector: A prime target with rich data

CISA has categorized this sector as being "target rich and cyber poor." For cyber criminals who gain access, these school databases are a treasure trove of personal information that includes personally identifiable information, personal health information, special education and academic records, and payroll and tax records of staff and contract workers, among other valuable data. K-12 public schools have more limited resources relative to other sectors, which makes them more vulnerable as sophistication of threats increase.

The K-12 school sector, and the government sector, can lag behind the private sector in adopting stronger cyber security mitigation measures.

However, K-12 public schools are implementing targeted measures to mitigate cyber risk. The 2022 MS-ISAC report found that 83% of survey respondents had cyber insurance, in addition to 63% respondents reporting having an incident response plan in place. This aligns with our understanding from speaking with K-12 public school management teams about enterprise risk management: The school districts and charter schools we rate tend to have some type of cyber mitigation measures in place, which oftentimes includes regular phish testing and annually required cyber trainings in addition to cyber insurance and can help schools recover from an attack. Unfortunately not all schools may be able to maintain cyber insurance given skyrocketing premiums, which may weaken risk mitigation preparedness in our view.

In our view, the combination of these practices enhances resiliency and could enable such entities to prepare for, respond to, and recover from a cyber incident and mitigate a material financial or operational disruption.

Lessons Learned: K-12 Cyber Security Case Studies

Conclusion

Prepare. Respond. Recover.   Our approach to understanding cyber risk exposure includes understanding the degree of access controls that are in place, system redundancies, and monitoring processes. Monitoring systems that support early detection is one of the most important strategies to reduce the potential impact of an attack.

Issuer disclosure.   While issuer disclosure is not required at the federal level, and in many cases at the state level, at this time, we view issuer disclosure as extremely important in determining not only the potential risks but also the mitigation measures. These could include drafting response plans for a potential cyber security attack and ensuring those plans are updated and tested regularly with walkthroughs and full-scale exercises.

Increased state action.   States are increasingly taking legislative action to strengthen and formalize cybersecurity support (funding, disclosure requirements, technical support, etc.) for local governments and K-12 public schools. Texas, Florida, and California, for example, have all recently passed a variety of bills to this effect. We expect to see this trend continue across the nation and we view this positively from a credit perspective.

Expanded federal support.   In early August 2023, the White House and the U.S. Department of Education hosted a summit focused on K-12 cyber resilience which included initiatives such as a proposed pilot program providing up to $200 million over three years to increase cyber defenses at schools; the development of coordinating council to serve as a key resource for preparing for, responding to, and recovering from an attack, and a suite of additional guidance and trainings prepared by leading national cyber security organizations (FBI, National Guard Bureau, and CISA). Private companies, including Amazon Web Services, Cloudfare, and Google, have also opted in to assist K-12 public schools with cyber resources, some at no cost. We view this expanded federal support very valuable for schools w limited resources