Amid rising online security threats, issuers must protect credit quality

The increasing number and frequency of cyberattacks against municipalities is a cause for credit concern, S&P Global Ratings says.

U.S. public finance sector issuers will need to take actions in order to maintain credit quality, S&P said in a report released Dec. 13.

"Once an afterthought, cyber security is now a critical priority for U.S. public finance issuers," S&P said. "Often, public sector entities maintain important infrastructure and are trusted with personal identifiable information and digital identities of their customers, making them an increasingly attractive target."

"What really changed was that you had some real innovation in the ransomware space," said Davis Hake, co-founder of Resilience.

Online attacks cost Baltimore's water and sewer system a downgrade this year and adversely affected the credit quality of New Orleans, the rating agency said.

Since the pandemic started, online security threats have increased, driven in part by significant expansion of remote work throughout the public sector, the report's primary authors, Alex Louie, Thomas Zemetis, Tiffany Tribbitt, and Krystal Tena, told The Bond Buyer.

"One of our key takeaways is that it's an evolving landscape, one in which these threats are becoming more and more apparent and leading to higher profile incidents," Zemetis said in an interview.

He added that the tactics the criminals use are changing and the traditional ways in which public entities respond, such as the use of cyber insurance, are becoming more and more challenged.

"There are ways in which public entities need to evolve and build risk management within their structures because it doesn't seem that these conditions are going to be stopping — they're only going to become higher stakes and more challenging," Zemetis said.

The threats and the people who are behind the attacks are changing quickly, Louie said, and how municipal issuers are responding to these threats is also changing.

"I've been seeing it mostly in the insurance space," Louie said. "I had a call with an issuer who said their premium went up 100% and that their cyber insurance has new requirements on what they need to do. For example they needed to institute multi-factor authentication just to get coverage."

MFA requires a user to provide two or more verification factors to gain access to an account, instead of simply a password.

Tribbitt said some market sectors are more vulnerable to attack than others.

"There are higher-interest targets, such as healthcare and higher education, which tend to have more personally identifiable data that could be valuable on the dark web black market," she said.

She added that critical infrastructure in the U.S. could face threats from nation states.

"Cyber war is now an integrated part of nation-state conflict," Tribbitt said. "So there are implications for some of our issuers as a result of that, especially in the critical infrastructure sector."

Just this month, the California Department of Finance was the victim of a cyberattack, with the Russia-affiliated ransomware group LockBit claiming responsibility.

In October, CommonSpirit Health priced more than $1 billion of debt on schedule after disclosing a ransomware attack.

And this fall, the government of 1.5 million population Suffolk County, New York, was forced offline for weeks by a ransomware attack.

The private sector should not be left out of the equation, said Davis Hake, co-founder and vice president of business development at Resilience, a cyber insurer, which provides both intelligence and security as well as insurance services to its customers.

"The overwhelming majority of critical infrastructure in this county is all in private sector hands," he told The Bond Buyer. "So the government has always had a national security interest in working with the private sector to try and share information, share best practices and standards, to try and help them — either increase their safety or their reliability for the American people."

He also said cybersecurity should encompass risk management, rather than just the technical side of things.

He noted the nature of the threat differs from other forecasting techniques, like predicting a weather event such as a hurricane, because these attacks are human generated, nefarious and adversarial.

"We really saw these threats accelerate just before the pandemic," Hake said. "What really changed was that you had some real innovation in the ransomware space — this had been a low-level threat for a long time. Insurance companies back in 2016 were not that concerned about it; they were tracking it, but in a lot of those attacks, the extortions were low, the organizations they were targeting were small and many affected people just paid the ransom and the criminals went away."

He said the attackers were not as sophisticated back then.

"But as you got closer to 2018 and 2019, a lot of these criminal groups started seeing an opportunity in developing their business model," Hake said.

"So 2018 and then into 2019, you really saw the rise of ransomware against critical infrastructure. It became a huge, huge problem," he said. "And now today, we've seen cities, universities, healthcare organizations become victims."

S&P pointed out two case studies it did that showed how cyberattacks can affect a municipality's ratings and credit quality even years after an incident.

In both cases cited it was the timing and quality of information from a city that caused the problems.

In December 2019, New Orleans was hit by a ransomware attack that prevented numerous city services from accessing information and data. The city had to rebuild many of its systems to get them working again after the attack.

"This delayed the issuance of the 2019 and 2020 audits to the point where S&P Global Ratings placed the ratings on CreditWatch with negative implications due to lack of information," S&P said.

In the end, however, the city was able to provide the financial information to S&P, which kept the rating at A-plus with a stable outlook.

Things were worse in Baltimore where in February, S&P downgraded the Baltimore Water and Sewer System's wastewater senior lien bonds to AA-minus from AA and cut the rating on the city's subordinate-lien wastewater bonds to A-plus from AA-minus.

"The downgrade reflected our view of the enforcement action filed by the Maryland Department of the Environment against the city's wastewater system that we believe stems from governance vulnerabilities that have resulted in regulatory violations," S&P said. "In addition, the city was slow to recover from a cyber attack in 2019, which management reports contributed to the system's compliance, reporting, and operating deficiencies (in addition to billing and procurement)."

S&P said these vulnerabilities resulted in litigation and might reduce liquidity, increase system leverage and affect public perception, which could hinder the system's future rate-setting flexibility. The rating outlook is now stable, S&P said.

"A lot of the times when you see rating actions [coming years later] following a cyber event, it is because of that failure to respond to that attack and get back to baseline," Tribbitt said. "That's why you can see these long credit tails on these types of attacks because the response and recovery can take a couple of years."

In December 2019, New Orleans experienced a ransomware attack that prevented numerous city services from accessing information and data.
Adobe Stock

As threats evolve, the cyber insurance industry is adjusting and as costs rise, public finance issuers will feel the heat, either through increasing premiums or additional testing or other questions issuers must answer to get, extend or renew coverage.

S&P is projecting an up to a 25% rise in the cost of annual cyber insurance premiums through 2025, which could lead to public entities pursuing self-insurance or skipping coverage altogether.

Many insurers are narrowing the type of incidents they cover or increasing deductibles.

In several states, public and quasi-public organizations have broadened coverage in intergovernmental risk-sharing pools to include cyber liability as an alternative to private insurance, which could provide more access and keep coverage affordable, according to S&P.

"There have been a lot of stories about the rising insurance prices. Certainly the pandemic has driven a lot of that," Hake said. "But I think one of the things that cyber insurance is going to have to do as a product is to really have to show its real value. If all cyber insurance does is act as a market-based risk-transfer product as it does today, I think it misses a huge opportunity to actually drive better cyber resilience."

Moody's Investors Service views laws proposed or passed by several states prohibiting local governments from paying ransoms in cyberattacks as an encouraging trend.

S&P believes states and local governments will need to provide more financial resources for online security in the future, but said that some help could be on the way from Washington, D.C.

The federal government has allocated up to $1 billion to the State and Local Cybersecurity Grant Program to help states, local governments, rural areas and territories.

Created under the Infrastructure Investment and Jobs Act, public entities can apply for SLCGP grants for specific projects, which include implementing cyber governance and planning; assessing and evaluating systems and capabilities; mitigating prioritized issues; and building a cyber security workforce.

"When we tend to talk about cybersecurity, we are evaluating how you prepare for an attack, how you respond to an attack and how you recover from it," S&P's Tribbitt said. "We no longer view cybersecurity as an emerging risk. It's an evolving risk. And one that we expect to be an integrated part of an issuers' risk management system."

For reprint and licensing requests for this article, click here.
Cyber attacks Louisiana City of New Orleans Maryland Public finance Ransomware
MORE FROM BOND BUYER