Government’s cyber risks can lead to credit risks, report finds
Local governments and school districts are falling behind state governments and large transit agencies when it comes to cybersecurity preparedness, according to a report published Thursday by Moody’s Investors Service. And greater vulnerabilities to threats like ransomware, business email compromise and other attacks can have the effect of weakening those organizations’ creditworthiness in the eyes of lenders.
Moody’s surveyed 122 governmental bodies, including states, counties, cities, school districts, public utilities and transit agencies and found that within the public sector the steps taken to defend against cyberattacks vary wildly. The survey asked respondents if they employ four tools and practices widely considered to be basic cybersecurity components: weekly backups of data, multi-factor authentication, incident response plans and red-team testing to simulate attacks.
Every transit systems and utility that responded reported saving weekly backups of their data, while 100% of transit systems and state governments had incident response plans in place. But other public-sector entities trailed, in some cases by wide margins. Just 69% of counties and 59% of schools — two types of organizations frequently attacked by ransomware — saved backups regularly.
Meanwhile, implementation of multi-factor authentication was less likely the smaller the population an entity served, Moody’s found. In the top quartile — defined as a population of at least 3.2 million — 81% of organizations used multi-factor authentication to control network access. But in the bottom quartile, representing entities serving fewer than 160,000 people, barely half used the process.
“Cybersecurity is an increasing risk for regional and local governments, which have suffered numerous attacks in the past several years,” the report reads. “Weak security planning, lax risk prevention or poor response and recovery readiness leave entities vulnerable to attack and are a credit weakness.”
Red-team testing remains uncommon across the public-sector agencies Moody’s interviewed, with states leading the way at just 48%. By comparison, a similar survey of the banking sector found that 100% of debt issuers with assets of at least $150 billion employed that kind of testing, which governments often find to be cost-prohibitive.
The Moody’s report acknowledged the financial strains many government entities face, especially school districts, which are dependent on property taxes and state aid left to the discretion of legislatures, while states and large cities have more diverse revenue streams. It also noted the added burdens brought on by the COVID-19 pandemic.
“Increased reliance on technology and greater levels of connectedness via online devices and virtual services have already led to a sharp increase in cyberattacks on K-12 schools nationwide, as school networks become more attractive to cybercriminals,” the report read, noting an 18% increase in the number of incidents last year affecting public schools.
Staffing is also an issue. Among all organizations that responded to Moody’s, the median number of full-time cybersecurity staff was three, sometimes supported by contractors. But with the exception of states, all types of public-sector entities have tried to recruit more cybersecurity professionals in recent years, with schools adding 300% more staff between 2017 and 2019, while transit systems and utilities grew theirs by 200% over the same period. States, which employed an average of 14.5 full-time cyber professionals, remained flat.
Risks of cyberattacks can raise financial risks, the Moody’s report found. While no local government body has seen its bond rating fall because of a cyberattack, a few have come close. A business email compromise scheme in 2019 hoodwinked a Texas school district into sending a routine debt service payment to a phony account, but the district had enough in its cash reserves to also cover the real payment. And in early 2020, schools in New Orleans had to access capital markets when a ransomware attack cut off the city’s ability to collect tax revenues.