MuniESG Insights | An ESG Leader with Cybersecurity Issues: CommonSpirit Health

This healthcare system’s recent bond offering was marred by the revelation of a cyber-attack. We offer some thoughts on how this impacts their ESG efforts

CommonSpirit Health (“The System”), one of the nation’s largest Catholic health systems, born from the combination of Catholic Health Initiatives and Dignity Health in 2019, came to market last week with a $496.5 million tax-exempt Series 2022A Series and a $807.356 million taxable Series 2022. The Series 2022 came with a corporate, rather than a muni Cusip, designed to appeal to both corporate bond and foreign buyers.

This would have been a rather routine offering, except for the fact that the System had to disclose it was the victim of a cyberattack just days before it came to market. Although the rating agencies promptly dismissed this as immaterial to the bond rating, the rather awkward timing of the cyber incident raised some interesting issues regarding the disclosure and evaluation of cybersecurity as an “ESG” factor.


Before we tackle the subject matter at hand, let’s quickly check the System’s recent financial performance, as displayed in our MuniCREDIT Online application. Overall, results for FY2022 were markedly weaker compared to FY2021, as pandemic-related assistance from state and federal sources start to decline.

MuniESG Insights | An ESG Leader with Cybersecurity Issues: CommonSpirit Health Table 1

Table 1.

Utilization statistics for the System were relatively stable, except for a steady decline in Acute Care Admissions over the past 4 years. Medicare and Medicaid payor continued to account for a rather large portion of the payor mix (about 66 %).

An ESG Leader with Cybersecurity Issues: CommonSpirit Health Table 2

Table 2.

ESG Considerations

Most ESG experts readily agree that “cybersecurity” should be included under “Governance”, the “G” in “ESG”. How that factor should be evaluated is a whole other matter. The most common problem cited by muni investors is the lack of timely disclosure about these cybersecurity events. There is little consensus about what the disclosure timeframe should be, nor about what else should be disclosed besides a simple notification of such an event. For instance, issuers fear that disclosure of cybersecurity insurance policies may actually spur more criminal activity.

In our view, there is no question that disclosure of a cybersecurity event should occur promptly, i.e., in a matter of days, not weeks. Such disclosure should include at a minimum some estimates of financial impact, if any, and what the issuer’s response has been or will be.

Within an ESG framework, obligors should probably not be judged on the frequency of occurrence of cybersecurity attacks, over which they have no control, but rather on the robustness of their internal IT controls and procedures.

Despite its recent cybersecurity issues, CommonSpirit management appears fully committed to sustainability goals and to be a leader in sustainability in healthcare: “We believe the health of our community is linked to the health of our planet.” (Source: Investor Roadshow, Series 2020A). This commitment is certainly in keeping with the System’s obligations as a faith-based ministry.

Tables 3 and 4 summarize the System’s ESG framework and its commitment to achieve Net Zero by 2040 (Source: Investor Roadshow, Series 2022).

An Environmental, Social, Governance Leader with Cybersecurity Issues: CommonSpirit Health Table 3

Table 3.


CommonSpirit Health: Commitment to Net Zero by 2040 Table 4

Table 4.

More details on CommonSpirit’s sustainability efforts may be found in Appendix A of the Official Statement and also at:

An interesting problem with faith-based institutions is their stance on sensitive social and moral issues, such as abortion. In fact, most if not all, bond issues by Catholic health systems include an extraordinary call provision in the event any Obligated Group member is forced to “operate in any manner that the Corporation (the System) in good faith believes to be contrary to the Ethical and Religious Directives or the principles and beliefs of the Roman Catholic Church (…)”.


Among all sectors of the municipal market, it stands to reason that healthcare should be at the forefront of any ESG-related efforts. This is especially true of faith-based systems such as Catholic Health Initiatives and Dignity Health, which combined to create CommonSpirit Health.

CommonSpirit’s recent cyberattack event is illustrative of a critical problem facing the nation’s health systems, which rank across the most frequent targets for cybercriminals, given the highly sensitive nature of patient data. While a framework for evaluating cybersecurity risk under the “Governance” umbrella is still evolving, the System’s leadership role in promoting sustainability goals should serve as a great model for other health systems in the US.


Note: for more details on our MuniCREDIT Solutions, which covers over 24,000 municipal obligors across all major sectors, and on our MuniESG scores, including details on the 18 sub-components of the Climate Impact Score (hurricanes, tornadoes, wildfires, etc.), please contact us at

Disclaimer: This report is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase and sale of any security. Although the information contained in this report has been obtained from sources we deem reliable, we do not guarantee its accuracy, and such information may be incomplete or condensed. Investors should obtain and read the official statements related to the securities discussed. All opinions are only valid as of the report date and are subject to change without notice.