Fitch Ratings says EPA requirements could lead to rising costs, prove onerous for smaller systems
Credit rating agency Fitch Ratings identifies that the U.S. Environmental Protection Agency’s (EPA) requirement that all public water systems incorporate cyber risk and resiliency in their periodic reviews will add an increased regulatory and financial burden, which could be ‘onerous for smaller systems and systems with minimal existing cyber infrastructure.’
The agency further expects that the requirement could have a significant effect on water utilities’ capital expenditure budgets, and margins would be pressured if systems are unable or unwilling to pass on the added costs to customers through rate increases.
“Given that there was little federal cyber regulation for the sector prior to this memorandum, many utilities will likely have deficiencies cited in sanitary surveys,” Fitch Ratings wrote in research released last week. “Water utility operational technology can be quite old and may not be compatible with needed cybersecurity upgrades or software enhancements. We expect water utilities could incur significant costs in the medium term to update systems and upgrade infrastructure to improve cybersecurity.”
The agency identifies that in the absence of a new robust federal appropriation, “we expect utilities will pass on costs to customers through rate hikes, where feasible. Smaller utilities with weaker cybersecurity practices and technology may be less able to fully pass on what could be considerable costs, as its customer base could be less able to bear a jump in rates. As a result, margins could suffer, liquidity and leverage could weaken, and negative rating pressure could build,” the research added.
The EPA’s memorandum, which became effective immediately on March 3, 2023, requires states to incorporate a review of cyber resilience in its regular period audits of public water systems (sanitary surveys). Sanitary surveys identify deficiencies that could affect safe water supply, and the EPA is including cybersecurity as a potential deficiency.
“States may now be required to evaluate cybersecurity practices and controls as part of the regulatory requirement to review public water systems’ equipment and operations to ensure water supply or safety. A utility must address and correct any cybersecurity deficiency identified by the state,” the Fitch Ratings research said. “Significant deficiencies could include absence of a practice or control or presence of a vulnerability that has a high risk of being exploited.”
The research added that should deficiencies not be remedied and result in a breach, “Fitch would consider the magnitude of the impact on both finances and operations. Deficiencies may negatively affect our view of management and governance and potentially result in negative rating action if a breach results in weakened financial metrics or supply disruption.”
The U.S. CISA (Cybersecurity and Infrastructure Security Agency) can help states with risk assessments, but it is not a dedicated resource, and ultimately the responsibility will likely fall on states to interpret cyber resilience and remedies, leading to varying approaches, according to the research.
The EPA points to a few broad resources available to help utilities with remediation, though these resources have other funding mandates besides cybersecurity and will only provide some of the resources needed. These include the Drinking Water State Revolving Fund loan fund, EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, and USDA Rural Utilities Service Water and Environmental Programs loans.
America’s Water Infrastructure Act of 2018 (AWIA) requires water systems serving over 3,300 people to assess the risk and resilience of computer systems but does not provide for any formal review of utilities, the research said. “The EPA memo, on the other hand, applies to all public water systems. Assessments and emergency response plans under the AWIA may be used to support states’ cyber resilience assessments.”
Fitch Ratings research added that in April, Missouri, Arkansas, and Iowa filed a petition to have the EPA cybersecurity mandates reviewed in the U.S. Court of Appeals for the Eighth Circuit. “These states have concerns with the financial burden presented by the new requirement and argue that EPA does not have authority to expand the scope of existing regulations without Congressional action.”
The Fitch Ratings research aligns with opinions shared by cybersecurity experts with Industrial Cyber last month.
Pointing to a few deficiencies in the memorandum, Richard Robinson, chief executive officer of Cynalytica, said that the lack of specificity, insufficient guidance for small PWS, and lack of clarity on compliance requirements. “While the memorandum provides general guidance on how public water systems (PWS) can improve their cybersecurity posture, it does not provide enough detail on how to implement specific controls or address specific vulnerabilities,” he added.
Robinson further added that “the memorandum does not provide enough guidance for small PWS that may have severely limited resources or technical expertise to implement cybersecurity measures.”
Jennifer Loudon, founder/CEO at Intelligent Water Services, said that the vast majority of utilities, both water and wastewater, around the country are considered small or midsize. “These facilities are subject to the same problems that large utilities face, but with a traditionally much smaller pool of resources to draw from when addressing the problem- including OT cybersecurity. Staffing, in terms of both sheer numbers as well as in-house expertise, is going to be lower at these small and medium facilities,” she added.
Last May, Fitch Ratings identified in a report that cyber risk is a growing threat for rated entities and considers an operational technology (OT) system attack to be more likely to affect credit than a corresponding attack on IT, due to the potential time to remediate and its impact on cash flow.
Related
