Fitch: US School Districts’ Cyber Risk Heightened by Limited Resources

Fitch Ratings-Austin/New York-01 June 2022: US public school districts are increasingly targets of cyberattacks due to the volume of sensitive personally identifiable information (PII) that schools maintain and the generally limited resources devoted to cybersecurity, Fitch Ratings says. Cyberattacks increased in frequency, severity and sophistication during the pandemic, leaving school districts, already facing operational and financial stresses exacerbated by the pandemic, particularly vulnerable.

School districts turned to remote learning during the pandemic and most became reliant on third-party learning platforms and personal student devices to conduct classes, significantly increasing their exposure to cyberbreaches. According to a recent report by K12 Security Information Exchange (K12 SIX), 162 school districts across 38 states reported cyberbreaches in 2021. However, due to weak public disclosure requirements across the sector, the number of incidents is likely much higher. Fitch’s analysis of recent school district cyberattack data suggests that district size does not seem to be a factor, as both large and small districts have been targeted.

Competing K-12 budget considerations and resource allocation often lead to weakness in institutional cybersecurity. The threat landscape and cost of breaches and remediation are growing at a much faster pace than school districts’ IT budgets allocated to cybersecurity. This trend is further exacerbated by hiring and staff retention challenges in a tight labor market, especially for IT staff, and the generally limited ability of school districts to independently increase revenues.

Ransomware remains the most prevalent cyber event impacting K-12 schools, accounting for roughly 37% of the reported K-12 cyber incidents in 2021, according to K12 SIX. Ransomware attacks in 2021 resulted in school closures in some cases due to attackers withholding access to databases used in school operations, leading to loss of instruction time for students. Disclosed ransom amounts paid in 2021 by school districts trended around mid-six-digit figures, while the cost of recovery after incidents has been much higher, which may not have been fully covered by districts’ insurance policies.

Some districts have no cyber insurance at all. Adequate third-party risk transfer through cyber insurance is becoming increasingly unattainable for school districts, with annual premiums across K-12 cyber policies reportedly soaring more than 300% (according to Aon PLC) and coverage levels shrinking. Districts will face greater financial risks from cyberattacks without the ability to adequately transfer risk. Fitch considers the impact of cyberattacks as part of its assessment of management, which is an asymmetric credit factor where evidence of significantly weaker characteristics may negatively affect the rating. In the event of a cyberattack, Fitch will evaluate management’s ability to respond to the impact in relation to an entity’s financial flexibility.

Schools subject to breaches that disclose confidential information could face financial, legal and reputational risks as well as the risk of enforcement actions due to regulations regarding privacy and confidentiality. PII is trafficked on the dark web, and minors are at elevated risk of identity theft, which can go undetected for years due to lack of regular credit monitoring for this demographic.

Data breaches and leaks constituted about 20% of K-12 reported cyber incidents in 2021. According to K12 SIX, 55% of disclosed school data breaches in 2021 were directly due to leaks originating from district vendors, highlighting the elevated third-party risk for the sector. School district data is a valuable target given the amount of sensitive PII pertaining to teachers, parents, students and other personnel, a trend that is expected to continue as long as profit incentives remain high and outweigh perceived risk of criminal prosecution.

Contacts:

Omid Rahmani
Associate Director, US Public Finance
+1 512 215-3734
Fitch Ratings, Inc.
2600 Via Fortuna, Suite 330
Austin, TX

Brittany Pulley
Associate Director, US Public Finance
+1 512 813-5652

Sarah Repucci
Senior Director, Fitch Wire
Credit Policy – Research
+1 212 908-0726

Media Relations: Sandro Scenga, New York, Tel: +1 212 908 0278, Email: [email protected]

The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.



Copyright © 2024 Bond Case Briefs | bondcasebriefs.com