The rising threat of cyber attacks
When the covid-19 pandemic struck in 2020, the disruption to housing associations (HAs) was vast and social landlords needed a wholesale rethink on how to run their organisations effectively. In-person interactions are an important part of the work HAs do, whether it be repairs and maintenance work, welfare checks or community workshops.
But with lockdowns restricting the traditional ways of working, social landlords were required to accelerate digitization of their organisations. Many HAs will have been planning this work anyway, but the sudden onset of the pandemic meant processes were changed pretty much overnight.
One key challenge that has come to the fore since is that HAs needed to ensure that their data systems were watertight to prevent cyber-attacks. Social landlords handle huge amounts of personal data, which makes them prime targets for cyber criminals. With the sector still adjusting to new ways of working, leaders within their respective organisations need to consider how these risks can be managed.
Recent history shows that the social housing sector is not infallible when it comes to cyber security. Back in 2019, Home Group incurred a data breach which impacted 4,000 customers. This incident would be the canary in the coalmine, signaling a spate of attacks in the sector in the years to come.
Flagship, Hackney Council, Waverley Housing, Gloucester City Council, Bromford and Clarion all suffered external attacks. These attacks not only compromised the daily operations of these registered providers, but they also ate into the landlords’ finances and caused understandable worry and concern for customers.
With the consequences of cyber-attacks already laid bare, how can HAs protect themselves from such events and what are the consequences if they do not?
The first point to make is the effect a cyber-attack would have on residents, which was noted by credit rating agency S&P in its report into cyber risks in the sector. Tim Chow, author of the report, highlights the need for HAs’ response to be as quick as possible.
He says: “We can see in the case of Clarion, tenants were infuriated because there was a slow response. It depends what the severity of the attack and how long the response is but if core services are not recovered in a timely manner, that could cause a major impact on residents.”
Unlike many of the services HAs provide, cyber security can be difficult to communicate to residents. A customer will note any deterioration in their home and will be aware how long their landlord takes to fix issues, but cyber security will only be noted at the point of crisis.
As Felix Ejgel, Senior Director at S&P, explains: “It is difficult to build your reputation because by default you are expected to be good at cyber security. There’s an expectation that there will be no problems, but if it happens, it takes time to rebuild trust.”
When 40,000-home Bromford was hit with a cyber-attack, the landlord announced it had shut down its systems as a precaution. It was later announced that there was no evidence of a successful data breach.
Greg Campbell, Partner at Campbell Tickell, agrees that the nature of cyber security work itself can be a challenge to knowledge sharing among HAs.
He says: “One partial barrier to sharing is that some cyber security activity takes place secluded from public view.”
He notes, however, that the social housing sector is generally good at knowledge sharing and Campbell Tickell is trying to facilitate conversations when it comes to cyber security.
“Following the success of Campbell Tickell’s WhatsApp group for housing CEOs (established pre-pandemic but still growing with c.250 members), we have now set up a similar group for housing CIOs, which is growing rapidly and proving itself a useful forum to share information and best practice in the IT arena.”
Once the immediate danger to customers is dealt with, HAs will then need to consider the financial impact a cyber-attack could have.
In the case of Clarion, the housing association drew a link between the cyber-attack and financial performance. In November 2022, the landlord announced that its operating surplus over a six-month period fell from £164m to £149m.
In the announcement, Clarion said: “The lower operating surplus reflects the higher levels of cost inflation, increased expenditure on repairs and maintenance, and additional provisions against rent arrears linked to the recent cyberattack.”
The picture is bleaker for cash-strapped local authorities who are not able to access finance in the same way that HAs are. When Hackney Council was hit by a ransomware attack in October 2020, the attack would lead to the council spending £12.2m to deal with the aftermath. According to media reports, these costs included spending on IT consultancy, cyber recovery software and work to replace affected systems.
Recovery costs will be difficult to navigate, but this is just one aspect of the financial implications of a cyber-attack. As noted by S&P, difficulties when it comes to cyber security may have repercussions when HAs try to access finance further down the line.
Cyber-attacks carry with them a major threat to reputation, at a time when HAs are already dealing with reputational crises relating to issues of damp and mould.
This reputational damage, S&P notes, could become a factor when funders are considering who they lend to.
“We are concerned about the eventual cost it may bear because investors could start pricing them differently to single them out, which could have a substantial effect,” explains Felix Ejgel.
This will be particularly challenging for larger HAs who need to access the debt capital markets to fund their ambitious development programmes. HAs are often considered an attractive prospect for funders because of their strong Environmental, Social and Governance (ESG) credentials, but question marks around their ability to protect residents from cyber-attacks will weaken their position.
Felix admits that there has been no evidence of HAs being priced differently so far and that it may not come to pass. However, he admits that the markets have not been very active over the last year, so it is difficult to tell.
The RSH has also been vocal about sector reputation in recent years.
It said in its last sector risk profile report: “High profile instances of stock decency problems and service delivery and complaint handling failings have damaged the sector’s reputation and increased scrutiny from stakeholders. This is likely to increase the reputational impact from any further failings.
“In setting their strategic direction, providers will need to navigate a range of competing demands from stakeholders. Failure to consider competing demands at the outset, or failure to communicate these choices effectively once made, can have serious ramifications for a provider’s own reputation and that of the sector as a whole.”
Building up cyber defences will require a significant amount of investment, which adds to a growing list of expenses for HAs, including net zero work, fire safety and new development.
Tim Chow at S&P says the agency has noted HAs putting more money into IT infrastructure, but that the level of investment can vary from HA to HA.
Trevor Hampton, Director of Housing Solutions at NEC Software Solutions, suggests cyber investment needs to be a priority.
He says: “Cyber security is now considered the second biggest threat to the sector after net zero and before income and revenue risk according to a number of recent surveys.”
Trevor suggests that HAs need to put aside money as an investment priority the same way they do for property repairs and cyclical maintenance.
The pandemic, Trevor explains, forced many HAs to move their services online at speed. This has allowed cyber criminals more opportunities for phishing, ransomware and malware attacks.
“Many organisations, in the race to move services online have used open-source and low code technologies which can be susceptible to cyber vulnerabilities while the acceleration of digital has also created a shortage in cyber security skilled professionals,” he adds.
Greg Campbell also highlights the importance of regular testing when it comes to organisations’ cyber defences.
He says: “Organisations will want to have in place a clear cyber defense strategy and an up-to-date business continuity plan. Both should be subject to appropriate levels of review, test and scrutiny. This means ensuring you have the maximum practical defences in place, and that these are regularly tested by external specialists.”
Trevor Hampton stresses that HAs need to look beyond their own systems and perform due diligence into supply chains and supplier systems, ensuring that they are penetration tested with adequate Data Protection Impact Assessments in place.
A recent Inside Housing survey of the UK’s biggest 100 landlords found that 67% see cyber and IT security as a strategic risk – the second biggest concern behind health and safety.
As a result of these concerns, more and more HAs are taking measures to improve their defences. One way HAs are looking to do this is by accreditation through the government’s Cyber Essentials scheme.
The government scheme offers two levels of certification: Cyber Essentials and Cyber Essentials Plus. The Cyber Essentials option is a self-assessment process which reassures organisations that they are prepared for the “vast majority” of cyber-attacks. Meanwhile, the Cyber Security Plus certification requires “a hands-on technical verification” to be carried out.
Greg Campbell says: “Cyber Essentials Plus is increasingly becoming the minimum standard of accreditation but a growing number of organisations are going for ISO 27001.”
Each HA will have its own reasons for selecting the accreditation it ultimately chooses, but taken together, there is a clear groundswell placing greater emphasis on cyber security.
A few years ago, before the recent spate of cyber-attacks in the sector, HAs may have thought their list of priorities couldn’t possibly have gotten bigger. However, the evidence is clear that HAs now view cyber security as a key threat to their organisations.
The fallout from recent cyber-attacks is still being felt and the impact calculated, but there can be no doubt about the severity of disruption and distress they can cause for residents. This, paired with reputational issues around damp and mould, make for a bleak picture. HAs must do all that they can to get both factors under control.
It remains to be seen whether funders will factor in cyber performance when it comes to pricing deals. But poor cyber credentials will certainly be considered when it comes to ESG evaluations and, therefore, it is possible that some HAs may not benefit from ESG-linked deals if they fail to meet certain standards.