An increase in cyberattacks against colleges and universities, which comes as institutions rely heavily on digital infrastructure to deliver online learning amid the pandemic, is a negative factor weighing on higher education’s credit profile, according to Moody’s Investors Service.
The ratings agency published commentary on risks associated with cyberattacks this week, about two weeks after the FBI issued a warning about rising numbers of cyberattacks against colleges and universities. Attackers can steal sensitive information, block access to essential systems and demand payment before they return access. They have also been known to threaten to publish stolen sensitive information if institutions do not meet their demands.
The attacks pose social risks related to customer relations for colleges and universities when they affect service delivery, delay key events like registration or disrupt virtual classes. They can also pose a financial risk.
Some institutions have paid ransoms to decrypt stolen data and restore access to servers, according to Moody’s. Direct and indirect costs, like paying to recover lost data and systems, lost revenue and ransom payments, are rising along with the number of attacks. The monetary amount colleges and universities pay in ransom may not be particularly large as a percentage of their overall financial heft, but it can make the higher education sector more attractive to future hackers.
“University wealth will continue to mitigate much of the financial harm of a cyberattack, but it highlights the attractiveness of the sector to cyber criminals,” a Moody’s report said.
Universities operating large medical centers are also exposed to cyberattacks affecting health care, where attack-related costs are much higher than they are in education. The global average cost of a data breach in education was $3.9 million in 2020, according to the Ponemon Institute. It was $7.13 million for health care.