Cybercrime, inflation and more severe storms are among the heightened risk factors facing colleges and universities in the Southeast emerging from a pandemic that has rocked the education model for more than a year.
So far this year, Hurricane Ian has battered Florida and South Carolina, inflation has soared to a four-decade high, and the number of known cyberattacks on college campuses has continued to rise.
In a report released last week after Ian’s fatal run, S&P Global Ratings said most Florida higher education institutions have experience dealing with hurricanes and other severe weather events and have very detailed disaster preparedness plans.
S&P evaluates 19 Florida public and private higher education institutions, the Florida College System of eight community colleges, and three 501(c)(3) nonprofit higher education organizations.
“Although it is still too early to assess long-term effects [from Hurricane Ian]looks like there will be some property damage and flooding,” S&P said. [we] will reach out to our most vulnerable education providers to assess the risks on a case-by-case basis and identify the potential impact on the institution, whether financial or otherwise.”
In a separate report, S&P found that higher education is among the higher-risk destinations for cybercrime due to the massive amounts of personal data used for enrollment, philanthropic support, and medical research.
Colleges and universities are increasingly being targeted by cybercriminals, said Ken Rodgers, a credit analyst at S&P.
“That’s what we’ve seen in our rating analysis for the past two or more years,” Rodgers told The Bond Buyer on Tuesday. “We’ve generally focused on this in our public finance department, but in higher education we’re a little more aware of the potential importance.”
Still, he said that from a ratings perspective, S&P has so far only revised a few credit outlooks in the higher education sector to negative or stable – and most of these actions are not solely due to cybersecurity issues; Rather, they were just one factor mentioned in the assessment revision.
“Colleges and universities have in recent years been increasingly concerned with event risks, whether natural or man-made, such as: management and governance controversies, cyber risks, etc.,” S&P said in its report.
“Many have implemented sound corporate risk management programs that can be activated immediately,” the rating agency said.
“Additionally, colleges and universities generally maintain strong management and governance controls and also benefit from ample financial resources; this may include insurance coverage for specific risks, as well as easy access to outside assistance such as disaster relief programs,” S&P said.
Still, S&P said event risk at a university can create a crisis atmosphere that can affect credit quality if an event isn’t managed effectively and quickly.
Rodgers said most colleges and universities want to share information with the market to let them know how well prepared they are to deal with or repel an attack, but don’t want to give away too much information that would give cyber attackers a blueprint of could give them strengths and weaknesses.
Fitch Ratings noted that the higher education sector has seen a rapid increase in the number and severity of cyberattacks since 2020, at a time when many of these institutions are already grappling with financial and operational strains related to the pandemic.
“The sector is seen as a target-rich environment because of the large amount of sensitive data, namely intellectual property and personal data, that these institutions retain for student curriculum, research and operations,” Fitch said in a May report.
“Threat actors took advantage of the pandemic to disrupt the higher education sector at a time when it was facing unprecedented challenges and a sharp shift to online delivery,” Fitch said. “Colleges and universities are increasingly reliant on third-party learning platforms and student personal devices to deliver instruction, greatly increasing the exposure of these institutions. Inadequate digital infrastructure and network protection protocols can create significant vulnerabilities across the sector.”
According to KonBriefing.com, Florida International University (FIU) in Miami was hit by a BlackCat ransomware attack in April. Details of the attack remain sketchy, which is not uncommon given the sensitivity of the data and the ongoing investigation, which often takes a long time to resolve.
FIU’s 344-acre campus is located in Westchester, a suburb of Miami. Founded in 1965, it houses the International Hurricane Research Center, the only university research facility in the United States dedicated to studying tropical storms
After the pandemic restrictions came into force in 2020, the university relied on online and hybrid courses.
Once normal operations have been restored, 56,732 students will be enrolled in the fall semester of 2022, including 10,653 doctoral students.
In a ransomware attack, code is downloaded from an unknowing target and their workstation, and then potentially those of others, is encrypted and rendered unusable until a ransom is paid, often in untraceable bitcoins. A phishing attack allows a criminal operation to access someone else’s private email and data information, such as B. Credit card information or social security number.
Other cyberattacks took place in the Southeast this year.
The year began with a phishing attack on the University of Huntsville in Alabama, which compromised some email accounts in January. Officials told WAFF.com that some emails contained personal information, such as social security numbers, but no credit card or banking information.
The last reported attack in the Southeast was in Mississippi, where William Carey University, a private university in Hattiesburg, Forrest County, was hit by a cyberattack in late September.
According to a study by cybersecurity company Sophos, attacks on higher education institutions were on the rise as reported in their 2022 survey, with 64% of the 410 institutions surveyed being hit by ransomware attacks. This was an increase from the 44% reported in the 2021 survey.
Hospitals were the top target of cyberattacks last year, according to US government data, but higher education was not immune.
“While education has a below-average attack rate, the encryption success rate of attackers in this space is well above average,” says the Sophos report. “Higher education has the highest data encryption rate of any sector surveyed (74% of attacks resulted in data encryption)…compared to the global average encryption rate of 65%.”
Fitch noted that the higher education sector also faces a unique risk factor from research data theft by nation-state actors, rather than criminals.
“Over the past two years, more than 200 universities have publicly announced that they have been victims of this type of theft, according to a 2021 BlueVoyant Threat News report. Attacks on medical and biotechnology research have accelerated during the pandemic, although that Main target is still industry and defense technology information. These cyberattacks could result in the loss of competitive grants and future royalties from patents, both important sources of revenue for research-intensive institutions,” Fitch said.
The rating agency noted that in cases involving employees or researchers, the risk of legal and financial consequences is increased.
“Federal contracts generally have cyber hygiene requirements that universities may need to meet in order to conduct research or receive federal funding,” Fitch said.
Inflation has also hit the insurance sector as the cost for universities to purchase cyber security insurance has skyrocketed.
“We evaluate more than half of the credits [in the sector] have cyber insurance, but the premiums on those policies have really skyrocketed — something close to 40% to 60% or more over the past year,” Rodgers said. “We’re aware that some colleges and universities are talking to each other to form some kind of insurance pool to see if there’s an opportunity to reduce the costs associated with this type of asset protection.”
Howard Globus, a self-proclaimed cybersecurity evangelist and founder and CEO of IT On Demand, told The Bond Buyer in a June podcast that public entities need to be just as prepared for an attack as they are for a hurricane or earthquake.
“It just makes sense for smooth operation,” said Globus.
“We have seen an increase in risk across the landscape. The cyber attackers don’t work through a list of targets and move down the list one at a time. Rather, we’re seeing an increase in attacks and probings in all types of systems from multiple controlled systems, nonprofit organizations and corporations,” he said. “When the organization has systems that are connected to the internet, there are potential vulnerabilities and the attacks increase,” he said.
S&P also noted that the pandemic has left its mark on higher education, saying many colleges and universities “continue to navigate an extremely disruptive environment” due to the pandemic, as well as ongoing demographic shifts and affordability concerns.
“In the fall of 2020, many colleges and universities transitioned to a hybrid model of instruction, impacting campus operations and ancillary revenue generally. Traditional approaches to recruitment have also been affected, with a significant reduction in campus tours and high school visits. Schools have been forced to innovate and respond quickly,” S&P said. “During fiscal year 2021, however, significant emergency federal funding provided greater financial flexibility to manage these ongoing risks.”
On Thursday, S&P is hosting a webinar focused on the higher education sector.