More than half of reported cyber breaches involving rated entities since 2000 have targeted sovereigns, local governments and state-owned critical infrastructure, according to analysis by S&P Global Ratings.

Drawing on data from RiskRecon and the European Repository of Cyber Incidents, S&P’s review of nearly 25 years of breach activity reveals that sovereign institutions – including legislative, defence and executive bodies – were implicated in 47% of politically motivated attacks. Infrastructure providers, particularly in the energy and transport sectors, comprised a further 41%, with attackers often treating these entities as secondary targets in pursuit of broader disruption.

S&P’s analysts attribute the persistence of this threat profile to both the political capital such breaches can yield and the complex interdependencies within national infrastructure. “The potential for political interference and economic disruption makes sovereign systems and infrastructure persistent high-value targets,” said Michelle Keferstein, analyst at S&P Global Ratings. “Effective cyber risk management at sovereign level hinges not only on investment in technical capabilities, but on governance structures that support adaptive response frameworks.”

The report notes that despite the high breach frequency, the material impact on sovereign creditworthiness has so far been limited. S&P currently sees a low likelihood that a single cyber incident would directly affect a sovereign's credit profile. However, it flags secondary risks such as operational degradation, loss of public confidence and systemic contagion as potentially significant over longer time horizons, particularly where public services intersect with digital infrastructure.

Technical failures and insider error remain key attack vectors, with many breaches originating from within organisations due to poor cyber hygiene, privilege mismanagement or misconfigured systems – a trend that continues to outpace external threat factors in frequency.

As digital transformation accelerates across critical infrastructure, S&P’s findings suggest that risk transfer mechanisms alone are insufficient. The firm recommends that governments and infrastructure operators embed cyber risk quantification into long-term capital planning, integrate cyber scenarios into national risk registers and adopt resilience metrics that are stress-tested against targeted attack vectors.

---