Key Takeaways
- Given the differing roles of U.S. affordable housing issuers -- owner, lender, and developer -- the sector faces varying exposures to event risks stemming from cyber attacks.
- We look for issuers to actively incorporate cyber security into their risk management frameworks. To date, U.S. affordable housing issuers that we rate have not experienced significant operational or financial disruptions resulting from a cyber attack or breach.
- The growing sophistication of cyber attacks means that U.S. affordable housing issuers may need to monitor and adjust risk management practices to evolve with changing threats.
Evolving Risks Require Issuers To Stay Nimble
Issuers, such as social housing providers and public housing authorities (PHAs), that own and operate affordable housing have access to tenants' confidential information while lenders' risks for housing finance agencies (HFAs) are related to homeowners' confidential information. U.S. HFAs, PHAs, and social housing providers could also be exposed to heightened cyber risk from aging technology and data storage systems, with some issuers using on-site servers, rather than cloud storage, to manage critical data.
But with cyber incidents rising, these issuers are responding to increasing threats by stepping up their risk management and IT security. S&P Global Ratings has observed U.S. affordable housing issuers implement various practices to reduce exposure, including transitioning to cloud-based data storage, multifactor authentication, penetration testing, third-party reviews, and increasing employee training.
Cyber Risk As A Factor In U.S. Affordable Housing Issuers Ratings
S&P Global Ratings' assessment of U.S. affordable housing issuers' cyber security strategy is based on how their policies and procedures can be used to prepare for, respond to, and recover from cyber threats to offset financial and operational risk. "Prepare, respond, recover" summarizes an effective strategy. Comprehensive cyber security can help these issuers mitigate cyber threats as they expand digitization of internal systems and reduce administrative inefficiencies through integration of artificial intelligence. In turn, these efforts can prevent or lessen the impacts a successful cyber attack could have on our view of an issuer's creditworthiness.
We incorporate issuers' cyber security preparedness into our assessment of management and governance under our criteria, "Methodology For Rating Public and Nonprofit Social Housing Providers," published June 1, 2021, and our assessment of management and legislative mandate or federal designation in our "Methodology And Assumptions: Housing Finance Agencies And Social Enterprise Lending Organizations" criteria, published Dec. 27, 2016. Generally, we expect issuers to implement good cyber hygiene practices such as instituting detection tools and alerts and setting policies on how to respond to and recover from an attack (see "Cyber Risk In A New Era: Remedy First, Prevent Second," Sept. 17, 2020). If we view an issuer's risk mitigation policies and practices as weaker than industry standards, it could result in a lower rating than that of peers with similar financial metrics that operate with more robust policies.
We view risk management, culture, and oversight as an aspect of governance within our environmental, social, and governance (ESG) credit factors (see "ESG Brief: Cyber Risk Management In U.S. Public Finance," June 28, 2021). Experienced management teams typically implement comprehensive and proactive policies and practices that address evolving risks like cyber security.
Our view of creditworthiness could shift on operational and financial impacts
In the event of a successful cyber attack, S&P Global Ratings would assess the impact to an issuer's credit quality based on the magnitude and type of attack and subsequent financial and operational disruption.
Operational disruption could:
- Lead to inability to collect rental payments; or
- Interrupt billing procedures.
Unplanned financial costs could result from:
- Potential ransomware payments; or
- Expenditures associated with restoring technology systems.
The financial costs could have an immediate credit impact on an issuer's liquidity. However, in our assessment of creditworthiness, we look at whether financial buffers are available, such as cyber insurance, other forms of liquidity, or even dedicated reserves. In addition, prolonged inability to restore operations, effectively manage communication with stakeholders, or limit the loss of sensitive data, could result in reputational damage if third parties and other stakeholders lose confidence in management's leadership and ability to effectively manage difficult situations.
Case Study: Mr. Cooper Group Inc. (Servicer; B/Positive/--)
Mr. Cooper services loans for millions of U.S. homeowners. In October 2023, certain of its systems were hacked by an unauthorized third party. Once aware of the incident, the company immediately locked down its systems and engaged cyber security experts to resolve the problem as soon as possible.
This response helped the company contain the incident, but nearly 14.7 million current and former customers were affected by the breach and about 4.6 million current customers were still unable to access their accounts to make November mortgage payments. The company acknowledged the service disruption and agreed to cover customers' late fees and penalties and offered free credit monitoring to individuals affected by the hack. According to Mr. Cooper's January 2024 regulatory filing, the cyber attack cost the company $27 million, up from the original $5 million-$10 million estimate, largely due to paying for identity protection for its current and former customers for two years.
Although Mr. Cooper is a private servicer, many rated state HFAs service loans on behalf of their customers or use third-party servicers. The Mr. Cooper cyber incident emphasizes the importance of risk management efforts HFAs employ when acting as servicer or when using third-party vendors as servicer. Integration of such risks into a comprehensive cyber defense strategy to mitigate potential financial and reputational impacts can help support the rating following an event.
For more information, see "Mr. Cooper's Data Breach Reflects Increased Reputational Risks, Although Direct Costs Should Be Manageable," published Dec. 15, 2023.
Case Study: PHAs (Lenders/Owners)
In recent years, PHAs have been victims of ransomware attacks and data breaches. These authorities often engage developers or use outside vendors for rent collection or tenant support systems, which can increase exposure to cyber risks from third parties (see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?," Oct. 25, 2021). Although we haven't observed material direct financial impacts of these incidents on affordable housing issuers in the U.S., they have disrupted portions of day-to-day operations. Some of the impacts from cyber incidents include:
- Temporary email accounts: After an employee opened an email, a ransomware attack occurred, requiring the PHA to shut down all systems to avoid losing data. Employees were required to use temporary email accounts for three months. The attack also delayed the release of an audit because of limited access to financial reports. Although in this case no information was compromised, these types of disruptions can expose vulnerabilities in PHAs' cyber security training and internal system defenses. In response, management teams have added system backups, multifactor authentication, and stepped up staff training.
- Inability to use workstation equipment: After ransom notes infected certain workstations at a PHA, they caused system connectivity issues and disabled some employees' computer peripherals. The attackers stole and posted online personal information of the authority's employees. In response, management contained the issue by isolating the affected workstations, and engaged a cyber insurance carrier, attorneys, forensic experts, and the FBI. In addition to changing employee credentials and migrating to a new email system, the authority moved its data storage to the cloud and ensured the latest software patches and updates were installed. It also revised its insurance coverage, and focused on restoration and mitigation efforts, including employee training.
- Potential exposure of confidential information: One of the nation's largest and oldest PHAs had a data breach that mostly affected its human resources department. The attackers specifically identified low-resourced entities that they believed had weak cyber security practices or hygiene. Following the incident, the authority changed employee credentials, migrated to a new email system, moved the system of record to the cloud, and reassessed existing cyber insurance coverage. Another PHA experienced a data breach and ransomware attack; an investigation into the incident found that attackers had access to the authority's systems for approximately one year and might have accessed confidential employee data.
See "U.K. Social Housing Providers Set Their Sights On Cyber Risk," Dec. 16, 2022, for more about social housing providers and cyber risk globally.
The Changing Dynamic Of The Cyber Risk Insurance Market
As the risk of cyber incidents increases, so does the demand for and cost of cyber insurance. Insurance providers can provide key services such as IT expertise, crisis management, and data recovery. However, with rising premiums and other investment and training requirements, some issuers are weighing the option of forgoing insurance for other risk management solutions (see "U.S. Public Finance Issuers Face Challenges In An Evolving Cyber Insurance Market," Oct. 3, 2023).
Although cyber insurance is often a critical risk mitigant, an issuer might use other elements in its cyber risk management strategy to guard against cyber incidents. These elements could include rapid detection, comprehensive training, strong IT asset management, and cyber risk pools. Some U.S. affordable housing issuers, as well as many local governments, have been turning to cyber risk pools to replace traditional private market insurance, which has become increasingly expensive and difficult to obtain. These pools allow issuers to combine their money to create a fund that will serve as a source for distribution of claims, managed by a third party. Cyber risk pools are similar to traditional insurance with annual premiums, coverage limits, deductibles and business interruption, and data recovery insurance (see "U.S. Local Governments Are Turning To Cyber Risk Pools For Savings And Security Benefits," March 14, 2024).
Vigilance Is Critical
Despite issuers expanding their efforts to protect against cyber attacks by boosting training, replacing IT infrastructure, and implementing other risk mitigants, cyber attacks are becoming more sophisticated and exposing issuers' vulnerabilities. An issuer's ability to monitor and adjust risk management practices to evolve with changing threats illustrates one way management can demonstrate strong governance that we incorporate into our assessment of creditworthiness. Absent these efforts, there could be negative credit implications from weaker financial positions or management and governance, or transparency issues should cyber attacks lead to an inability to provide certain information we consider in our analysis.
This report does not constitute a rating action.
| Primary Credit Analysts: | Jessica L Pabst, Englewood + 1 (303) 721 4549; jessica.pabst@spglobal.com |
| Shirley Flores, New York (646) 831-2467; Shirley.Flores@spglobal.com | |
| Secondary Contacts: | David Greenblatt, New York + 1 (212) 438 1383; david.greenblatt@spglobal.com |
| Caroline E West, Chicago + 1 (312) 233 7047; caroline.west@spglobal.com | |
| Nora G Wittstruck, New York + (212) 438-8589; nora.wittstruck@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.