Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers are now starting to consider the cybersecurity posture of borrowers at the town, city, and local levels when they apply for bonds.
Municipal bonds are “the debt obligations of states, their political subdivisions and certain authorities.” The municipal bond market allows over 50,000 US state and local government units to raise money for entities like public schools, water and sewer systems, transportation, and more.
According to Reuters, despite the rise in global cyber incidents, no borrower had previously suffered any increased borrowing costs due to a cyber threat, but this may not be the case going forward. Leading credit ratings provider S&P Global is now beginning to inquire into cyber defenses being implemented at the town, city, and state level. Additionally, while looking at bond applications, credit analysts are starting to incorporate cyber security as a factor. Moody's Investors Service is also trying to determine how to best evaluate cyber risk.
So, why haven’t credit ratings providers/issuers considered cybersecurity defenses as a critical part of their bond assessments until now? Many investors haven’t been worried enough to ask since they cannot see or measure lasting damage — therein lies the danger. Towns, cities, and states need to be taking the appropriate measures to guard against a cyber incident. These days it’s not a matter of “if” a breach occurs, but “when.”
We’ve already seen state governments hit with crippling attacks, like the 2012 attack on the state of South Carolina, which compromised millions of residents’ financial information. The incident was handled quickly, and South Carolina subsequently implemented $76 million in security upgrades.
Most issuers don’t disclose any details about cyber risks or defenses in bond documents to potential investors. However, some such as hospitals and utilities, who handle large quantities of data, have begun doing this — and this should be encouraged. The more open communication and collaboration between issuers, investors, and public sector entities, the more proactive measures can be put in place to guard against cyber attacks. Being in the public eye makes these entities and their data especially valuable to bad actors.
When performing assessments at the state and local level, issuers should be taking cybersecurity defense programs and security posture into account. As more attacks occur and compromise taxpayer and employee data, the effects may have severely damaging results for these constituents in the affected areas.
The best way to proactively and continuously assess cybersecurity posture (both at the public or private level) is with BitSight Security Ratings. BitSight Security Ratings allows users to view their numerical rating (between 250-900) and drill down on specific vulnerabilities within their networks. Using BitSight’s straightforward ratings approach, both bond issuers and potential investors can get a definitive sense of how much risk public sector applicants pose given their security posture and adjust their assessments accordingly.