Rating agencies are pushing municipal issuers to build cybersecurity into risk mitigation as an environmental, social, and governance factor.
That includes enhanced disclosure.
The most recent headline case involved a ransomware attack on software manager Kaseya, which remotely controls programs for companies. Estimates peg that at least 200 businesses were affected.
President Biden’s administration issued executive orders directing federal agencies to explore ways to strengthen cyber defenses in recognition of the threat to public works.
Other noteworthy developments include the cyberattack on the Colonial Pipeline, the largest fuel pipeline in the U.S., which led to gasoline shortages throughout the East Coast; the Metropolitan Transportation Authority, which operates New York City’s mass transit system, linking an attempted hack to the Chinese government; spiked lye levels at a treatment plant in Oldsmar, Florida; and a ransomware attack at the University of Vermont Health Network, which also operates hospitals in upstate New York.
Given the murkiness of online crime and its relative infancy as a phenomenon, that makes municipal disclosure all the more complex.
“The whole issue of cybersecurity and municipals has been very interesting,” Joseph Krist, publisher of Muni Credit News, said on a Bond Buyer podcast. “There’s been a lot of focus on where these attacks might come from. A lot of focus on what they are intending to achieve or disrupt.”
An ongoing challenge for issuers is balancing disclosure without compromising security.
“Municipal investors are sophisticated enough to know that it’s not in anybody’s interest to know all the details or responses to hacking and the like out there, but they do want to see some discussion that would enable them to get a sense of comfort that there’s no guarantee you can prevent it, but that an agency is doing as much as it can,” Krist said.
“Those are things that can be addressed without giving the store away. And as I look at official statements and the like, I think issuers are trying. But it’s something that I think investors should continue to keep pressure on, more from a standpoint of trying to help maintain momentum. Because there is momentum for addressing this more.”
S&P Global Ratings expects issuers to have a basic knowledge of physical and digital assets, including personally identifiable data that may have special legal protection.
“In addition, we believe issuers should understand where vulnerabilities are in their systems,” analysts Tiffany Tribbitt and Geoffrey Buswick wrote. This understanding, they said, typically is documented in a device and network inventory and includes implementation systems to mitigate online security threats.
“Furthermore, it includes an understanding of risks from vendors and third-party relationships for information technology, accounting, billing, or other purposes,” they said. “Understanding what could be at risk is the first step in developing an effective mitigation strategy.”
S&P also called for “cyber hygiene,” which includes firewalls, antivirus software, multifactor identification requirements, security-patch management, phishing exercises and email filters.
“Additional policies, including regular access audits and vendor management, should be implemented, as necessary, based on the size and sophistication of the issuer,” S&P said. “Given the rise in social engineering fraud, controls around wire transfers and bank payments should also be in place, as necessary.”
Larger issuers, Tribbitt and Buswick said, should have a dedicated chief information or chief information security officer.
Kroll Bond Rating Agency has developed questions to help assess the extent to which an issuer is best preparing. “We recognize there is no single approach and that the risks will vary across different issuers and will, invariably, change over time,” it said.
Questions include whether an issuer has experienced an attack, what the ramifications were and what it has learned; whether it employs dedicated staff; and whether it follows internationally accepted security standards.
Fitch Ratings said remote work and the use of technology in the operation of public critical infrastructure has created new vulnerabilities.
“Service and safety were not jeopardized in the recent attacks on the [MTA] and the Massachusetts Steamship Authority, but the breaches pointed to the need for robust digital security.”
A ransomware attack at Mass Steamship in June disabled its online booking process. The public authority operates ferries from Cape Cod to Martha’s Vineyard and Nantucket. It said the attack did not halt operations and that it did not engage with the cybercriminals or pay a ransom.
The episode prompted state Sen. Michael Moore, D-Millbury, to sponsor a bill to establish a Cybersecurity Control and Review Commission, consisting of private and public sector experts. The panel, he said, would recommend cybersecurity standards for state and local agencies, as well as private companies contracting with the commonwealth.
“The world that we live and work in has changed so fast over the years and become more and more reliant on our information technologies and software systems,” Moore said. “As a result, hacking and other forms of cyberattacks are a constant threat to Massachusetts and the nation as a whole.”
In New York, MTA officials said the FBI, the Cybersecurity Infrastructure Agency and the National Security Agency issued a joint alert at 8 p.m. April 20 about a zero-day vulnerability. A zero-day, according to Microsoft, is a publicly disclosed vulnerability for which no official patches or security updates have been released.
CISA issued recommendations for fixes and patches and the authority implemented them immediately using its 24-hour protocol. According to the MTA, only three of its 18 different systems were affected.
Preparedness helped the MTA troubleshoot the crisis, according to Moody’s Investors Service analyst Baye Larsen.
“MTA has steadily increased its investment in cybersecurity over the past few years, leading to strong cyber practices that limited the impact of the breach,” she said.
Corporate espionage may well have been at play, Krist said. While transit systems largely buy rolling stock assembled in the U.S., today’s transit rail car manufacturers are foreign-owned.
“It appears that those hacks are more designed to see what the Chinese can find out that would actually make the more competitive in winning more of these bids and supplying more of these cars,” he said.
“There seems to be a high level of comfort that it wasn’t meant to access operations.”
The operational hack in the Vermont health system affected treatments such as chemotherapy.
“We’ve probably been fortunate to some degree that these hackers haven’t had more success penetrating operating systems, but that is going to continue to be an ongoing concern,” Krist said. “It becomes more and more difficult to figure out what the proper disclosure is to investors.”
According to Fitch, the April 29 cyberattack on the Colonial Pipeline, traced to a compromised password, illustrates the broader financial effects resulting from attacks on critical infrastructure.
“The trend of global cybercrime has been undergoing a metamorphosis in the past two years,” Fitch said. “Criminals are now more focused on pivoting from the direct theft of data to disrupting critical operations using ransomware and exfiltrating information.”