- Electric utility companies could face "negative ratings actions" if their operations are disrupted by hackers or if their security practices are lax, Fitch Ratings warned the industry in a special report Monday.
- The ratings agency said public utilities would likely be allowed to recover the costs of a cyberattack through rates. But several other factors could impact credit ratings and "physical asset damage and/or human harm could have financial implications."
- Fitch focused on the growing threat to operational technology and industrial control systems, which are used to operate the grid but often rely on legacy equipment. While the utility sector is relatively well protected, a March report on ICS risk from Claroty warned of growing vulnerabilities.
Claroty's latest risk assessment of ICS environments found vulnerability disclosures grew 25% in the second half of 2021, and have more than doubled over the last four years.
That increase underscores the "broad cyber risks in OT assets," Grant Geyer, chief product officer at Claroty, said in an email.
"This is not necessarily reflective of net new problems — it’s indicative of more focus and research on ICS cyber security," Geyer said. "While this points to an increased desire to find and fix the ICS cyber challenges, it concurrently underscores the risk to the resilience of industrial environments from a cyber attack that can cripple critical infrastructure.”
Fitch cited the growth in vulnerability disclosures in its report, adding that it "expects this trend will continue in the near term, as more traditional assets become internet connected."
The ratings agency added that the electric utility sector is "relatively well prepared to monitor and manage cyber risk," in part owing to the North American Electric Reliability Corp.'s rules on critical infrastructure protection, or CIP.
However, Fitch noted that as more industrial control systems are connected to the internet and integrated with information technology systems, attacks will grow more sophisticated.
The average cost of an ICS cybersecurity incident is about $3 million, according to Ponemon Institute's 2021 State of Industrial Cybersecurity report. And to the extent a hacker disrupts a utility's operations, reduces earnings or increases costs, "such an event could have a negative impact on the issuer’s credit profile," Fitch said.
Fitch said it believes a public utility involved in a major incident "would be allowed an avenue for timely cost recovery to the extent that cyber investment needs fall outside of the normal budget and rate cycles regardless of ownership." But other factors could impact ratings, including fines and penalties if the utility was found in violation of NERC's CIP standards, and the potential for regulators to reduce the utility's return on equity.
A utility's security posture could be used in assessing its credit rating, Fitch said.
"To date, Fitch has not downgraded a rated entity due solely to a cyber event, but cyber breaches resulted in specific rating sensitivities post-incident in some cases," the report said. "Fitch will not make a positive rating action based on good cyber security hygiene and strong controls, but poor cyber security could result in negative rating actions."