Fitch Ratings-Austin/New York-09 June 2021: The recent Colonial Pipeline cyberattack illustrates the broader financial effects that can result from attacks on critical public infrastructure, Fitch Ratings says. A breach of critical assets, such as power or water supply or public transportation, that halts service could result in widespread public and private sector shutdowns if utilities cannot provide service or employees are not able to commute to their places of work.
Infrastructure that has been compromised can directly affect state and municipal government finances in the near term through ransom payments and/or the costs of remediation and restoration of data and service, as well as over the longer term, as a result of broad economic disruption that leads to loss of tax revenue.
The highly public nature and necessity of critical public infrastructure marks it as an extremely tempting target for cyber criminals, where the rewards for successful breaches can be significant. Public safety and security and the direct accountability of government entities to their citizens make infrastructure attacks attractive to those who seek to maximize headline risk.
The Biden administration issued exploratory executive orders directing federal agencies to look into ways to strengthen cyber defenses in recognition of the threat to public works. The comprehensive federal regulations around grid security are a prime example of the focus on national security and economic and public safety concerns. Public power entities are required to maintain the cyber best practices of the North American Electric Reliability Corporation.
The trend of global cybercrime has been undergoing a metamorphosis in the past two years. Criminals are now more focused on pivoting from the direct theft of data to disrupting critical operations using ransomware and exfiltrating information. Making systems more resilient to evolving cyberattacks requires ongoing and robust capital investment in digital defenses to ensure operational security and physical safety. Employee and management vigilance remains an important guard against cybercrime.
Remote work and the use of technology in the operation of public critical infrastructure has created new cyber challenges and vulnerabilities. Service and safety were not jeopardized in the recent attacks on the Metropolitan Transportation Authority of New York (transportation revenue bonds rated ‘A-‘/Negative) and the Massachusetts Steamship Authority (not rated by Fitch), but the breaches pointed to the need for robust digital security.
Attacks on the water infrastructure in the City of Oldsmar, Florida and Post Rock Rural Water District, Kansas (neither rated by Fitch) evidence the importance of manual redundancies and safeguards if cyber defenses are breached. Management was able to limit damage at these utilities, even though the control systems of water treatment plants were compromised.
Fitch considers cybersecurity in its review of public sector credits and as part of its global environmental, social and governance (ESG) framework. Cyber breaches pose significant social risks in terms of public safety and security, as well as a governance risk in terms of management effectiveness. An entity’s ESG Relevance Score (ESG.RS) for Customer Welfare – Fair Messaging, Privacy & Data Security (SCW), could be elevated if cyber risk were deemed to be material to the rating, such as the score assigned to Marriott International, prior to the issuer’s rating withdrawal in September 2020, in recognition of the widescale data breach of their systems in 2018, and to Capital One (COF; ‘A-‘/Stable) following a July 2019 data breach. COF’s elevated ESG.RS for SCW was reduced in May 2021, as the breach did not result in any noticeable damage to COF’s franchise.
Associate Director, US Public Finance
+1 512 215 3734
2600 Via Fortuna, Suite 330
Austin, TX 78746
Senior Director, Fitch Wire
+1 212 908-0726
Media Relations: Sandro Scenga, New York, Tel: +1 212 908 0278, Email: [email protected]
The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.