Bonds

Governments, regulators adjust to hazardous cybersecurity landscape

To run a municipality in 2023 means preparing for constant cyberattacks. 

Cyberattacks have become “an everyday phenomenon” for municipalities, said Omid Rahmani, associate director of public finance at Fitch Ratings. “This problem is not going to get better. In the short term, it’s going to get worse before it gets better.”

Moody’s Investors Service found that the median cyberattack for a public administration entity costs $1.5 million.

Omid Rahmani, associate director of U.S. public finance at Fitch Ratings, said he sees municipalities ranging from small school districts to critical public infrastructure struggle with cybersecurity.

Through federal grants, cybersecurity insurance and proposed Securities and Exchange Commission disclosure guidelines, areas of the public finance industry are adjusting to cybersecurity’s hazardous new status quo. 

There’s no standardized way to report cyberattacks, so experts don’t know how common they are, according to Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. But hackers attack roughly 100 state and local governments every year with ransomware alone, he said. 

Cybercriminals often see state and local governments as soft targets, which hold copious amounts of personal and financial data. Municipal cyberattacks consequently started spiking around 2019, Callow said, and appear to have stayed at elevated levels since then. 

Cost has always been a major obstacle for local cybersecurity, Callow said, and cost is growing as cyber threats evolve.

“Do local governments spend their limited funds on bolstering their cybersecurity, or on dealing with the homelessness problem, or on fixing potholes in roads,” Callow said, “or take the unpopular step of increasing taxes to pay for additional IT solutions?” 

David Erdman, a managing director at Baker Tilly Municipal Advisors and former debt manager for Wisconsin, said issuers also face a knowledge gap and a “language barrier” when approaching cybersecurity policies and disclosure — people who understand bond yields aren’t usually experts in cybersecurity, and vice versa. 

Local governments also face “talent flight” from cybersecurity staff, according to Rahmani. Every industry has a constant, growing demand for cybersecurity employees, and the public sector is rapidly losing employees to private companies that can pay more and offer more benefits.

State and federal governments have sought to help with local governments’ obstacles in the face of heightening cyber threats: the Infrastructure Investment and Jobs Act created a $1 billion grant program; some states, like Massachussets, have their own grant programs; and others, like Wisconsin, provide IT services directly to local governments. 

Many states have also increased requirements for municipalities to plan for and report cyberattacks.
In New York, as of December 2022, 318 of New York’s largest water systems were required to submit emergency plans that identify potential vulnerabilities to natural disasters and must include a Cybersecurity Vulnerability Assessment (CVA) that identifies vulnerabilities to terrorist attacks and cyberattacks. Ransomware attacks, according to the New York governor’s 2023 State of the State book rose 13% nationwide in 2021.

Some, like North Carolina and Florida, have banned local governments and state agencies from paying any ransoms in the event of a ransomware attack. 

Some municipalities also secure their systems through private companies. A UMBC survey found that nearly 40% of responding governments fully or partially outsourced their cybersecurity functions to a managed service provider or managed security service provider. 

A recent report from Moody’s showed that municipalities have widely adopted cybersecurity insurance over the last five years — up to 92% from 54% in 2019. 

The cost of insurance has increased dramatically in recent years, according to Moody’s, with some municipalities’ premiums doubling or tripling from 2021 to 2022.

Insurers have also begun to require insureds to follow certain cyber hygiene practices and are limiting the scope of what they will cover; these changes seem to be helping to stabilize premiums.

However, Rahmani said insurers are effectively pricing out more vulnerable municipalities. He’s seen some local governments with the resources to do so move to a self-insurance model.

Overall, Moody’s and Fitch consider cybersecurity insurance credit-positive for municipalities.

Threats to financial firms, meanwhile, seem less dire, but “a 2022 survey of 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year,” according to Commodity Futures Trading Commission Commissioner Christy Goldsmith Romero

In March, the SEC proposed new disclosure regulations for all covered entities, which would include the Municipal Securities Rulemaking Board, large broker-dealers, and security-based swap data repositories. 

The new Rule 10 would require entities to regularly assess their cybersecurity risks and mitigation and provide written policies and procedures for responding to cybersecurity incidents, such as notifying investors if they experience a data breach. The proposal would also broaden the scope of Reg SCI and include other entities like large broker-dealers, security-based swap data repositories and certain exempt clearing agencies.  

The comment period for the new rule yielded some criticism from entities like the MSRB, which argued that the rules were too broad and prescriptive, and that the disclosure regulations could cause more security risks if an entity was in the midst of a cyberattack.

While the MSRB said it supports the SEC’s efforts to protect investors in the U.S. securities markets and the markets themselves from cybersecurity risks, the board is “concerned about certain aspects of proposed Rule 10 … and believes that certain modifications are necessary to ensure that the rule has its intended effect.”

The MSRB submitted a comment letter to the SEC in June outlining its concerns, including what it called the”broad scope” of key definitions, the “prescriptive requirements” regarding the contents of written contracts between covered entities and their service providers, the requirement that covered entities publicly disclose cybersecurity risks, the lack of an exception to delay public disclosure of a significant cybersecurity incident for legitimate security concerns, and “the need to harmonize proposed Rule 10 with Regulation SCI to limit overlap and complexity for entities that are already subject to Regulation SCI.”

Ernesto Lanza, a bond counsel at Ballard Spahr and former director at the SEC and MSRB, had concerns about the proposal, although he found it positive overall.

“Sometimes people who are doing bad things may or may not know if they’re being effective,” Lanza said. “And self-reporting, ‘Oh, look, we just got hacked,’ [the hackers can say], ‘Oh, look, our hack worked! Great.”

Although the comment period has closed, it’s not clear when or whether the SEC plans to finalize the regulations.