Fitch Ratings-New York/Austin-12 February 2021: The recent cyberbreach of the Florida city of Oldsmar (not rated by Fitch Ratings) is an important moment in the evolving nature of municipal cyber risk, Fitch Ratings says. The breach was one of the first cases of the use of a municipality’s cyber infrastructure for a kinetic attack with the potential for human casualties. Though unsuccessful, the attack was evidence of the increasing frequency of cyber-attacks and the significant risks they pose to public finance entities, their constituencies and management. It also highlights the critical need for robust cyber hygiene and cyber vigilance in the municipal sphere. Recognizing this risk, Fitch includes cybersecurity in its credit analysis of the municipal sector and as part of its corporate-wide environmental, social and governance (ESG) framework. In addition, we believe cyber events pose financial risk which could impact municipal credit quality. This risk is not limited to the upfront cost of responding to a cyber-attack, but the costs of recovery and realignment of systems as well, which are many times more than the initial cost.
The Oldsmar attack consisted of a yet unknown assailant breaching the control systems of the city’s water treatment plant and adjusting the levels of sodium hydroxide to poisonous levels. This attack could have harmed thousands of residents without the city’s manual redundancies and safeguards that limit chemical levels.
Cyber breaches pose significant social and governance risks, which are reflected in our ESG framework and which we analyze when evaluating all credits, including states and local governments. Specifically, cyber risk is both a social risk in terms of safety and security, as well as a governance risk in terms of management effectiveness. A municipality’s ESG relevancy score would be elevated if cyber risk were deemed to be material to the rating. The Oldsmar incident demonstrates the critical risk that cyber intrusions pose to security in terms of public resources and trust as well as the safety of the constituency. Therefore, we believe it is important for municipal entities to have a systematic organizational approach to cyber hygiene that includes redundancies, robust policies and training that produce a cyber-conscious workforce. Without a robust cyber hygiene, governance protocols may prove inadequate in preserving the security of systems and may elevate safety risks for the community at large.
There has been a widespread proliferation of cybercrime in the municipal sphere over the past few years. Most of this crime has been in the form of large- and small-scale ransomware attacks which have dominated headlines. The potential for more frequent cyberattacks is exacerbated by the focus on remote-access systems due to the increase in remote work as a result of the coronavirus pandemic. In addition, the availability of “off the shelf” ransomware software on the dark web has allowed cybercrime to develop into a cottage industry.
The public nature of municipal entities, their limited defensive resources and direct accountability to their constituencies mark them as low-hanging fruit for cyber criminals. While the integration of operation and information technology into the daily workflow of public finance organizations has increased efficiencies and transformed the way these organizations conduct their daily business, it has also generated a new series of cyber risks and challenges. Today, local officials find themselves targets of cybercrime and cyber-attacks from an increasing list of hostile actors. Employee and management vigilance is currently the most important bulwark of any organization against cybercrime.
Contact:
Omid Rahmani
Associate Director, US Public Finance
+1 512 215-3734
Fitch Ratings, Inc.
Terrace 1
2600 Via Fortuna
Suite 330
Austin, TX 78746
Amy Laskey
Managing Director, US Public Finance
+1 212 908-0568
Fitch Ratings, Inc.
Hearst Tower
300 W. 57th Street
New York, NY 10019
Sarah Repucci
Senior Director, Fitch Wire
+1 212 908-0726
Media Relations: Sandro Scenga, New York, Tel: +1 212 908 0278, Email: [email protected]
The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.