Moody’s – Cyberattacks on governments are rising but pose limited risks to credit quality

New York, November 25, 2019

•Digital technologies and e-services have increased the risk of cyberattacks on governments

•Cyber risks vary for governments, but the scale and diversification of their economies and ample fiscal resources help insulate them to varying degrees

The growing interconnectedness of digital networks and the expanded use of technology to deliver government services have increased governments’ exposure to cyberattacks, both through direct assaults on their own systems and through the impact of attacks on the broader economy. While governments worldwide are increasingly vulnerable to cyberattacks, the associated risks to their credit quality are limited, says Moody’s Investors Service in a new report.

“For bigger governments, including sovereigns and larger regional and local governments, the scale and diversification of their economies and sizable financial buffers enhance their ability to withstand cyberattacks,” says Vice President David Rogovic. “Smaller regional and local governments typically have fewer protections because of their smaller economies and more limited financial resources.”

In general, governments are attractive targets for cyberattackers as a result of their large financial resources, the essentiality of the services they provide and the sensitivity of the data they collect. More sophisticated cyber actors, including state-sponsored groups with geopolitical interests, typically target sovereigns and are often driven by espionage or the intent to disrupt domestic politics, including through election interference. In contrast, regional and local governments are typically targets of financial opportunity, including from ransomware attacks.

However, they are broadly resilient to cyberattacks from a credit quality perspective. Unlike private companies, governments oversee large and diverse economies, which helps distribute associated risks. Governments typically also have ample fiscal resources and taxing authority to absorb the potential financial costs of a successful cyberattack. Additionally, governments do not face the same types of reputational or regulatory risks as do private businesses following cyberattacks.

Although a well-developed cybersecurity strategy does not necessarily reduce a government’s vulnerability to attack, it can reduce an attack’s severity. Strong cyber defense capabilities can inform how quickly a government can respond to a cyber event, which will help limit the credit impact. These capabilities include ample cybersecurity resources, and cyber-specific incident and crisis management teams. In general, more advanced economies with stronger institutions tend to have the most developed cybersecurity strategies and defense capabilities.

Subscribers can access the report at: http://www.moodys.com/researchdocumentcontentpage.aspx?docid=PBC_1172789