Higher risk levels confront higher education issuers
7 min read
Cybercrime, inflation and more severe storms are among the increased risk factors confronting colleges and universities in the Southeast that are emerging from a pandemic that shook the educational model for more than a year.
So far this year, Hurricane Ian struck Florida and South Carolina, inflation rose to a four-decade high and the number of known cyberattacks against institutions of higher learning has kept surging.
In a report last week issued after Ian’s deadly run, S&P Global Ratings said that most Florida higher education institutions have experience dealing with hurricanes and other severe weather events and they have very detailed disaster preparedness plans.
S&P rates 19 public and private higher education institutions in Florida, the Florida College System of eight community colleges and three not for profit 501(c)(3) higher education organizations.
“Although it is too early to assess any long-term effects [from Hurricane Ian], it appears there will be some property damage and flooding,” S&P said. “As the hurricane recedes and operations get back up and running, [we] will reach out to our education issuers most damaged to evaluate risks on a case-by-case basis to identify the potential impact on the institution, whether financial or otherwise.”
In a separate report, S&P noted that higher education is among the higher-risk targets for cybercrime due to the vast amounts of personal information used for enrollment, philanthropic support and medical research.
Colleges and universities are being targeted by cyber criminals with an increasing frequency, said Ken Rodgers, a credit analyst at S&P.
“This something that we’ve recognized in our ratings analysis for the past two years or more,” Rodgers told The Bond Buyer on Tuesday. “We’ve had a focus on this across our public finance department in general, but in higher education we are a little more attuned to the potential significance of it.”
Still, he said that from a ratings perspective thus far S&P has only revised a few credit outlooks to negative or stable in the higher education sector — and most of those actions were not due solely to cybersecurity issues; rather they were just one factor cited in the ratings revision.
“Colleges and universities have grappled with event risk with increasing frequency over the past few years, whether from nature or man-made, such as management and governance controversies, cyber risk, etc.,” S&P said in its report.
“Many have implemented sound enterprise risk management programs that can be activated promptly,” the rating agency said.
“In addition, colleges and universities generally maintain strong management and governance controls, and also benefit from ample financial resources; this may include insurance coverage for specific risks as well as the ready access to external support such as disaster aid programs,” S&P said.
Still, S&P said that event risk can create a crisis atmosphere at a university that can affect credit quality if an event is not managed effectively and quickly.
Rodgers said most colleges and universities want to share information with the market to let it know how prepared they are to deal with or fend off an attack, but don’t want to give out too much information that might give cyber attackers a blueprint of their strengths and weaknesses.
Fitch Ratings noted the higher education sector has seen a rapid increase in the number and severity of cyberattacks since 2020, at a time when many of these institutions are already grappling with financial and operating stress related to the pandemic.
“The sector is viewed as a target-rich environment due to the large amount of sensitive data, namely intellectual property and personally identifiable information, that these institutions maintain for student curriculum, research and operations,” Fitch said in a May report.
“Threat actors took advantage of the pandemic to cause disruption to the higher education sector at a time when it was facing unprecedented challenges and a sharp shift to online delivery,” Fitch said. “Colleges and universities became much more reliant on remote third-party learning platforms and personal student devices to conduct classes, significantly increasing the exposure for these institutions. Insufficient digital infrastructure and network protection protocols can be material vulnerabilities across the sector.”
In April, Florida International University(FIU) in Miami was hit by a BlackCat ransomware attack, according to KonBriefing.com. Details of the attack remain sketchy, which is not unusual due to the sensitivity of the data and the continuing investigations, which often take a long time to unravel.
FIU’s 344-acre campus is in Westchester, a suburban neighborhood next to Miami. Founded in 1965, it is home to the International Hurricane Research Center, the only university-based research facility dedicated tropical storm research in the U.S.
The university relied on online and hybrid courses after pandemic restrictions took effect in 2020.
With normal operations restored, enrollment is 56,732 students in the fall 2022 semester, including 10,653 graduate students.
In a ransomware attack, code is downloaded by an unknowing target and their workstation and then possibly those of others is encrypted and rendered unusable until a ransom is paid, often in untraceable Bitcoin. A phishing attack lets a criminal operation gain access to others private emails and data information such as credit card information or social security number.
Other cyber attacks have taken place in the Southeast this year.
The year began with a phishing attack on the University of Huntsville in Alabama, which compromised some email accounts in January. Officials told WAFF.com that some emails did contain personal information, such as social security numbers, but that no credit card or banking information was included.
The latest reported attack in the Southeast was in Mississippi, where William Carey University, a private university in Hattiesburg in Forrest County, was hit by a cyberattack at the end of September.
According to a study by Sophos, a cybersecurity protection firm, attacks on higher education organizations jumped as reported in its 2022 survey, with 64% of the 410 institutions polled getting hit by ransomware attacks. This was up from the 44% reported in its 2021 survey.
Hospitals were top target for cyberattacks last year, according to U.S. government data, but higher education was not immune.
“While education has a below-average attack rate, the adversaries’ encryption success rate in this sector is considerably higher than average,” the Sophos report said. “Higher education has the highest data encryption rate of all sectors surveyed (74% of attacks resulted in data being encrypted) … in comparison, the global average encryption rate comes in at 65%.”
Fitch noted that the higher education sector also faces a unique risk factor from the theft of research data by nation-state actors rather than criminals.
“In the past two years, more than 200 universities publicly disclosed they were victim to this type of theft, according to a 2021 threat intelligence report from BlueVoyant. Attacks targeting medical and biotech research accelerated during the pandemic, although the main target is still industrial and defense technology information. These cyberattacks could result in the loss of competitive grants and future patent royalty revenues, both critical lines of revenue for research-heavy institutions,” Fitch said.
The rating agency noted that in cases where staff or researchers are implicated, the risk of legal and financial repercussions are elevated.
“Federal contracts generally have cyber hygiene requirements with which universities may need to comply in order to conduct research or receive federal funding,” Fitch said.
Inflation has also hit the insurance sector as the costs have been skyrocketing for universities who purchase cyber security insurance.
“More than half of the credits we rate [in the sector] do have cyber insurance but the premiums for those policies have been really shooting up — something in the neighborhood of 40% to 60% or more in the past year,” Rodgers said. “We’re aware that some colleges and universities that are talking with each other, looking to form some type of insurance pool to see if there is a way to reduce the costs associated with having this type of asset protection.”
Howard Globus, self-described cybersecurity evangelist who is founder and CEO of IT On Demand, told The Bond Buyer in a June podcast that public entities need to be prepared before an attack in just the same way they need to be prepared before a hurricane or an earthquake.
“It just makes good sense for continued smooth operations,” Globus said.
“We’ve seen an increase in risk across the landscape. The cyber attackers are not working through a list of targets, moving down the list one at a time. Rather, what we’re seeing is an increase in attacks and probes across all manner of systems from multiple controlled systems, nonprofit organizations and corporate entities,” he said. “If the organization has systems connected to the internet, there’s potential vulnerabilities and the attacks are increasing,” he said.
S&P also noted that the pandemic’s left a mark on higher education, saying many colleges and universities were “continuing to navigate a highly disruptive environment” due to the pandemic as well as ongoing demographic shifts and affordability concerns.
“In fall 2020, many colleges and universities transitioned their mode of instruction to a hybrid model, which generally affected campus operations and auxiliary revenues. Traditional recruitment approaches were also affected, with a significant reduction in campus tours and high school visits. Schools were forced to innovate and respond quickly,” S&P said. “However, during fiscal 2021, meaningful emergency federal funding provided greater financial flexibility to navigate these ongoing risks.”
On Thursday, S&P will hold a webinar that will focus on the higher education sector.
