The U.K. public sector remains a key target for cyber attacks. The increasing digitalization of public services, including the use of artificial intelligence, is adding to public sector entities' financial and operational risk. Despite increasing investments in cyber security overall, we believe that further cyber attacks could occur, potentially disrupting critical services and leading to financial and reputational damage.
What's Happening
Cyber attacks against public sector entities in the U.K. have become more frequent, up by more than 50% in 2023 from the previous year (see chart). Recent high-profile incidents include a broad range of entities across sectors. Attacks have also become more disruptive. For example, the attack on Clarion Housing resulted in significant interruption to its services which cost around £17 million (about 18% of its net surplus for fiscal year 2023).
We believe that increasing digitalization makes public sector entities more attractive to cyber criminals given the large amount of sensitive and personal information they hold. Moreover, increased geopolitical tensions have made the public sector more attractive to attackers, given the potential to disrupt their critical infrastructure and services.
We think that increasing digitalization goes hand in hand with the need for increasingly cost-effective outsourcing and interaction with third parties. However, we see this as a weak link if not managed and monitored properly as it could leave entities more vulnerable to indirect supply chain attacks.
Why It Matters
Increasing and continuous cyber security investment could impact financial performance. As disruptions caused by major cyber attacks become increasingly significant to operations, we expect public sector entities to spend more on cyber preparedness, including personnel, equipment, and software. For example, the British Library needs to use about 40% of its reserves to rebuild most digital services after a cyber attack in late 2023. Also, Transport for London will invest about 10% of its capital expenditure (of £1.9 billion per year on average) on technology from fiscal year 2025 to fiscal year 2027 based on its business plan.
A cyber attack could disrupt critical services and may deter investors. Attacks against critical infrastructure entities such as transportation or hospitals could cause significant, immediate disruption to cities or an entire economy. In addition to the short-term operational and financial turmoil, they can also cause reputational harm, potentially weakening investors' confidence.
What Comes Next
Cyber attacks will become more frequent, more disruptive, and more costly. Disruption may become more pronounced as some entities may not be able to keep up with latest cyber security measures. Moreover, the time to recover from an attack can be prolonged if entities are less prepared to address cyber threats. And on top of direct operational and financial costs, the regulatory body (Information Commissioner's Office or ICO) could impose a fine. At the same time, we believe that financial support from the government would be limited given the current budgetary constraints.
Investment in the U.K. public sector and the use of insurance in cyber security will continue to increase. Ongoing pressure from the government for entities to implement their cyber strategies will lead to rising costs. In turn, this could strain their financial performance if support from the central government is limited.
Related Research
- Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sept. 24, 2024
- Cyber Risk Insights: Navigating Digital Disruption Booklet Published, July 9, 2024
- Quarterly Cyber Focus: A More Balanced Insurance Market And Cyber Risk Pools, May 9, 2024
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
- U.K. Social Housing Providers Set Their Sights On Cyber Risks, Dec. 16, 2022
This report does not constitute a rating action.
| Primary Credit Analyst: | Tim Chow, CFA, London +44 2071760684; tim.chow@spglobal.com |
| Secondary Contacts: | Felix Ejgel, London + 44 20 7176 6780; felix.ejgel@spglobal.com |
| Michelle Keferstein, Frankfurt (49) 69-33-999-104; michelle.keferstein@spglobal.com | |
| Additional Contact: | Sovereign and IPF EMEA; SOVIPF@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.