S&P warns over more frequent cyberattacks in the sector

News20 Dec 2022Michael Lloyd

Standard & Poor’s (S&P) has warned that social housing providers could suffer more frequent cyberattacks that would hit them financially and deter investors.

Picture: Getty

Sharelines

S&P has forecasted that social housing providers could suffer more frequent cyberattacks that would hit them financially and deter investors #UKhousing #SocialHousingFinance

A report from the credit agency said that providers have increasingly become targets of cyberattacks and warned that these could happen more often.

S&P said that social landlords increasingly rely on IT systems to provide services to tenants, and the pandemic was a catalyst in making the use of technology more widespread.

However, it said that new technologies, especially those that deploy business intelligence based on residents’ data, offer cyber criminals more targets.

S&P’s report said that cyberattacks could weaken financial performance and that incidents can result in extended service disruptions for providers.

It warned that at the same time, as seen in some recent incidents, putting emergency actions into place “might face hiccups” and therefore prolong the disruption to operations.

The Information Commissioner’s Office has the power to fine providers if data breaches occur.

S&P said that large providers would have more financial capacity to pay any fines but are more exposed to cyber risks, given that their large databases are more attractive to hackers.

Meanwhile, the credit rating agency said small providers could be less likely to be a target but would be more susceptible to any fines.

S&P said in its report: “In our view, cyber security has become a growing concern to social housing regulators. In England, [the Regulator of Social Housing] has stressed that cyber is a key sector risk. Its introduction of tenant satisfaction measures from April 2023 could further stress providers in handling customer satisfaction if there are any disrupting security incidents.”

S&P said the sector is gearing up to tackle this growing threat of cyber security.

It said that many providers are working on stepping up their IT security. The credit rating agency said some have gone beyond business continuity planning and penetration testing by setting up 24/7 monitoring systems, conducting third-party reviews or more training to employees to raise awareness.

S&P said that the Cyber Essentials accreditation, a government-backed scheme that certifies a company’s defence against cyberattacks, is becoming more popular in the sector.

It added that some providers are further pursuing standards, including the Cyber Essentials Plus accreditation and ISO/IEC 27001, which covers information security management systems.

“We consider the sector’s increasing effort to strengthen IT infrastructure credit positive that would somewhat mitigate the rising risk,” S&P said in the report.

“While it is difficult to quantify the financial impact, some providers account for cyber security breaches in stress-testing.

“We understand that cyber insurance is common in the sector, but it’s getting more expensive. Globally, much of the increase in price has followed a supply and demand mismatch and insurers’ cautiousness in taking on new risk.”

S&P said it embeds issuers’ cyber risk preparedness in its assessment of social landlords’ management and governance, and also considers the financial impacts of cyber risk in its financial risk profile assessment.

It said that providers should have a comprehensive cyber strategy to mitigate risks with sufficient monitoring and IT infrastructure. A lack of strategy could imply weak risk management, S&P added.

The report said: “Although we understand that the sector is increasing efforts in IT infrastructure, cyberattacks are becoming more sophisticated, constantly seeking ways to exploit system or human vulnerabilities.

“As we expect that financial and reputational consequences could be more significant for cyberattacks, we think that cyber security will be increasingly important in [social housing providers’] risk management. Those that do not manage the risk well, via strong planning and management, could see significant negative credit implications.”

S&P mentioned the example of Clarion. The UK’s largest housing association suffered from what it called a “cyber security incident” in June, which targeted its IT infrastructure.

It also mentioned Red Kite Community Housing, which lost almost £1m after cyber criminals mimicked the domain and emailed details of the group’s suppliers in 2019.

S&P said that Clarion’s half-year operating surplus fell partly due to the fall-out from a major cyberattack, and that its operating surplus is likely to weaken as a result of additional provisions against rent arrears linked to the incident. However the agency does not see “the financial impact as being an immediate credit risk”.

Meanwhile, Red Kite had its governance rating downgraded from G1 to G2.

S&P said that partners with the sector are not immune to the issue. For instance, Plentific – a company that runs a repairs platform for large London providers including L&Q, Notting Hill Genesis and Peabody – experienced a cyberattack in 2021 that indirectly affected providers’ operations.

Local authorities, which manage housing benefits and planning, are also targets, S&P added.