Water and sewer credit ratings incorporate an assessment of an entity’s resiliency to manage unexpected events, including cyberattacks, which could pose financial and operating risks that ultimately affect utility credit quality, Fitch Ratings says.
Event risks like cyberattacks are considered asymmetric risks per Fitch’s criteria, and are viewed through the lens of the response of management and sufficiency of governance systems and protocols to deflect or absorb the risk. Management and governance is typically neutral to credit, but could be considered credit negative if utilities lack capacity to adequately manage cyber risk or if there are concerns related to transparency, communication or reputational damage following a cyberattack.
Related — Florida water hack underscores cybersecurity threat to utilities
Fitch assesses a utility’s financial flexibility and its relative capacity to repay debt and other liabilities. Therefore, unexpected costs related to cyber breaches could weaken liquidity metrics and constrain a utility’s overall financial profile assessment per Fitch’s criteria. Emergency efforts to combat cyberattacks could reduce cash reserves and/or increase operating expenses, decreasing funds available for debt service. Unanticipated debt financing to support cyber infrastructure or to capitalize cyber losses could also weaken leverage metrics.
Cyber breaches could also present challenges to a utility’s ability to preserve revenue generation and recover costs in a timely manner. The loss or corruption of customer data, electronic files and accounts that leads to the inability to read meters or access billing systems and reduces customer confidence could affect the ability to raise rates. Loss or corruption of data could also hamper the ability of a utility to monitor its own systems and provide timely and quality data to regulators and customers. Utilities could face possible regulatory action for violation of regulations or lawsuits from other constituents, both of which could result in unexpected financial burdens.
Technology investment is expected to play a larger role within a utility’s capital program moving forward.
A utility’s operating expenses may be driven higher by recovery and mitigation efforts post-attack. These would include both one-time expenses, such as rebuilding cyberinfrastructure and systems, and recurring higher service costs, including cyber insurance or additional staffing. Furthermore, utilities that are enterprise funds of local governments may be required to provide increased transfers to cover unanticipated expenditures in the event of a cyber breach of the local government.
Technology investment is expected to play a larger role within a utility’s capital program moving forward, adding to capital spending that is already increasing for some utilities due to regulatory-driven projects and water resource development or growth projects. Vulnerabilities or delays in addressing other system asset needs could emerge due to a utility’s focus on cyber risk mitigation taking priority over other critical infrastructure protection projects. Capital improvement plans may need to be revaluated or expanded in the aftermath of an attack, resulting in increased capital pressures on systems.
Fitch also includes cybersecurity in its analysis of the sector and as part of its corporate-wide environmental, social and governance (ESG) framework. Cyber risk is both a social risk in terms of safety and security, as well as a governance risk in terms of management effectiveness. A utility’s ESG Relevance Score would be elevated if cyber risk were deemed to be material to the rating.
