Newly inaugurated President Rodrigo Chaves Robles declared a national emergency on 8 May in response to the continuing ransomware attack, for which Russia-based international criminal group Conti has claimed responsibility
The number of ransomware attacks more than doubled globally in 2021, with criminals increasingly stealing and encrypting sensitive personal data. Governments have numerous departments that can be attacked, but the most critical from a sovereign credit perspective are the Treasury/Finance Ministry and the central bank
The current cyber-attack on Costa Rica highlights risks to sovereigns that could increase as such attacks become more common, Fitch Ratings said.
The attack has significantly disrupted some government functions, but not Costa Rica’s ability to service its sovereign debt, suggesting that sudden interruptions in payments are a tail risk.
Newly inaugurated President Rodrigo Chaves Robles declared a national emergency on 8 May in response to the continuing ransomware attack, for which Russia-based international criminal group Conti has claimed responsibility.
The attack was first announced by Costa Rica’s Ministry of Finance on 18 April, when it said that tax collection and import-export systems had been disrupted, and that the mechanism for paying public-sector employees had been partly suspended for several hours. The attack then spread to other parts of the government.
The ministry said that the attackers had gained access to confidential taxpayer information such as income reports and tax payments, but that the authorities had not lost their access to the same data.
In response to the authorities’ refusal to pay Conti’s ransom demand, the group began making stolen information available on the dark web.
The number of ransomware attacks more than doubled globally in 2021, with criminals increasingly stealing and encrypting sensitive personal data. Governments have numerous departments that can be attacked, but the most critical from a sovereign credit perspective are the Treasury/Finance Ministry and the central bank.
Conti’s attack on Costa Rica has targeted the Finance Ministry, but has not interrupted repayments on sovereign debt obligations. The authorities said on 11 May that all debt payments had been made in compliance with repayment schedules.
Fitch is not aware of any instance in which a cyber incident led directly to a failure to pay, and has not taken any rating action on a sovereign or non-sovereign issuer as a result of a cyber-attack or cyber preparedness concerns.
Costa Rica’s experience so far also suggests that operational risk management, for example, via business continuity plans, can reduce the risk that a cyber-attack delays debt servicing.
Fitch would assess a missed payment by a sovereign due to a cyber-attack in the same way as any other potential default event under our Sovereign Rating Criteria.
But the disruption caused by the Costa Rican attack highlights a broader range of risks. The Finance Ministry granted extensions for some tax payments, delaying receipt of revenues until back-up systems are fully operational. Government liquidity remains adequate according to Central Bank of Costa Rica deposit data.
The switch to manual customs systems slowed cross-border trade. Fear of fraud could damage confidence in the financial system, and the release of confidential information could create reputational risks for the government.
How far such broader risks materialize will partly depend on the duration of the attack and Conti’s ability to further disrupt government functions and economic activity.
Conti has reportedly indicated that it may engage in more ransomware attacks on other sovereigns, and it is expected such attacks will become more common.
Some sovereigns are more exposed than others as cyber operations can be an extension of warfare or intimidation as well as an attempt to extort money.
For example, Ukraine was subject to cyber-attacks before and during Russian’s invasion, including on its power grid. To the extent that cyber risk is linked to geopolitical risk, it may be partly captured in the governance indicators that form part of our sovereign credit assessment.
Some emerging markets and developing countries with low cyber preparedness are also likely to be relatively vulnerable. Fitch assesses the effects of a cyber event relative to ratings headroom and financial, operational and reputational impacts.