The Water Risk and Resilience Organization (WRRO), currently under deliberation in Congress, aims to enhance the resilience of the U.S. water sector against cyber security threats. U.S. utilities have been recent targets for nation states and cyber criminals, and S&P Global Ratings believes the WRRO would help water systems to achieve improved cyber security resilience, although there could be significant challenges associated with implementation costs, especially for smaller systems.
What's Happening
House Bill 7922 was introduced in April 2024 with the aim of establishing a new governing body, the WRRO, which will propose cyber security resilience requirements and implementation plans, to be approved by the Environmental Protection Agency (EPA). The WRRO would conduct monitoring and assessment of utilities and can impose penalties for non-compliance.
Why It Matters
We view water utilities as a likely target for cyber attacks, as operational disruptions threaten the water supply and place public health and safety at risk. In recent years, water utilities have faced cyber-attacks that have resulted not only in disruption to water treatment, distribution, and storage, but also in critical data loss and severe financial effects, typically related to liquidity. In most cases, a cyber attack has not resulted in a rating action; however, we have done so when a cyber attack has a significant effect on the issuer's financial position, operations, or compliance, or when the attack exposes significant risk in management and oversight.
Our criteria typically factor in cyber and physical risk management as part of our overall assessment of management, and therefore we view efforts to improve cyber policies and practices positively. Cyber security preparedness is evaluated in the operational management assessment of our "U.S. Municipal Water, Sewer, And Solid Waste Utilities: Methodology And Assumptions," published April 14, 2022. In our view, strong management teams usually have comprehensive and proactive policies and practices that address cyber risks, including staff training, system monitoring, and attack response and recovery. Also, we view risk management, culture, and oversight, into which cyber policies are incorporated, as an aspect of governance within our "Environmental, Social, And Governance Principles In Credit Ratings" criteria, published Oct. 10, 2021.
What Comes Next
Given the current lack of a formal framework, the shortage of cyber security professionals, and the challenge of operating legacy systems, we view the efforts proposed by the WRRO to improve cyber policies and practices positively, although we note there could be rating pressure associated with costs and compliance violations, in particular for water systems that are already facing rising operating costs and may require more sophisticated management expertise. Despite these challenges, reasonable minimum requirements and support should improve preparedness to handle cyber security threats, leading to more efficient defense and detection and more timely recovery.
Related Research
- Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sept. 24, 2024
- Cyber Risk Insights: Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark, May 11, 2023
- U.S. Public Finance 2024 Midyear Outlook: A Cooldown Ahead, July 15, 2024
This report does not constitute a rating action.
| Primary Credit Analyst: | Mallie Lange, Austin +1 2147655861; Mallie.Lange@spglobal.com |
| Secondary Contact: | Jenny Poree, San Francisco + 1 (415) 371 5044; jenny.poree@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.