Fitch Ratings-Austin/New York-11 May 2023: The US Environmental Protection Agency’s (EPA) requirement that all public water systems incorporate cyber risk and resiliency in their periodic reviews will add an increased regulatory and financial burden, which could be onerous for smaller systems and systems with minimal existing cyber infrastructure, Fitch Ratings says. The requirement could have a significant effect on water utilities’ capex budgets, and margins would be pressured if systems are unable or unwilling to pass on the added costs to customers through rate increases.
The EPA’s memorandum, which became effective immediately on March 3, 2023, requires states to incorporate a review of cyber resilience in its regular period audits of public water systems (sanitary surveys). Sanitary surveys identify deficiencies that could affect safe water supply, and the EPA is including cybersecurity as a potential deficiency.
States may now be required to evaluate cybersecurity practices and controls as part of the regulatory requirement to review public water systems’ equipment and operations to ensure water supply or safety. A utility must address and correct any cybersecurity deficiency identified by the state. Significant deficiencies could include absence of a practice or control or presence of a vulnerability that has a high risk of being exploited. Should deficiencies not be remedied and result in a breach, Fitch would consider the magnitude of the impact on both finances and operations. Deficiencies may negatively affect our view of management and governance and potentially result in negative rating action if a breach results in weakened financial metrics or supply disruption.
The Cybersecurity and Infrastructure Security Agency is able to help states with risk assessments, but it is not a dedicated resource and ultimately the responsibility will likely fall on states to interpret cyber resilience and remedies, leading to varying approaches.
Given that there was little federal cyber regulation for the sector prior to this memorandum, many utilities will likely have deficiencies cited in sanitary surveys. Water utility operational technology can be quite old and may not be compatible with needed cybersecurity upgrades or software enhancements. We expect water utilities could incur significant costs in the medium term to update systems and upgrade infrastructure to improve cybersecurity.
In the absence of new robust federal appropriation, we expect utilities will pass on costs to customers through rate hikes, where feasible. Smaller utilities with weaker cybersecurity practices and technology may be less able to fully pass on what could be considerable costs, as its customer base could be less able to bear a jump in rates. As a result, margins could suffer, liquidity and leverage could weaken, and negative rating pressure could build.
The EPA points to a few broad resources that are available to help utilities with remediation, but these resources have other funding mandates besides cybersecurity and will only provide some of the resources needed. These include the Drinking Water State Revolving Fund loan fund, EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, and USDA Rural Utilities Service Water and Environmental Programs loans.
America’s Water Infrastructure Act of 2018 (AWIA) requires water systems serving over 3,300 people to assess the risk and resilience of computer systems, but does not provide for any formal review of utilities. The EPA memo, on the other hand, applies to all public water systems. Assessments and emergency response plans under the AWIA may be used to support states’ cyber resilience assessments.
In April, Missouri, Arkansas and Iowa filed a petition to have the EPA cybersecurity mandates reviewed in the U.S. Court of Appeals for the Eighth Circuit. These states have concerns with the financial burden presented by the new requirement and argue that EPA does not have authority to expand the scope of existing regulations without Congressional action.
Contacts:
Audra Dickinson
Senior Director, US Public Finance
+1 512 813-5701
Fitch Ratings, Inc.
2600 Via Fortuna
Austin, TX 78746
Omid Rahmani
Associate Director, US Public Finance
+1 512 215-3734
Sarah Repucci
Senior Director, Fitch Wire
Credit Policy – Research
+1 212 908-0726
Media Relations: Sandro Scenga, New York, Tel: +1 212 908 0278, Email: [email protected]
The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.