Cyber Risk

U.S. muni market slowly starts paying heed to cyber risks

NEW YORK (Reuters) - A rise in cyber attacks on U.S. public sector targets so far has had little impact in the $3.8 trillion municipal debt market, with no issuer as yet hit by a downgrade or higher borrowing costs because of a cyber security threat.

That is beginning to change.

S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody’s Investors Service is also trying to figure out how to best evaluate cyber risk.

The shift follows a particularly steep rise in ransomware attacks, when criminals hold an entity’s computer system hostage until a small ransom is paid.

The number of global ransomware detections rose 36 percent in 2016 from the year before, to 463,841, with the United States most heavily affected, according to cyber security firm Symantec Corp.

Such attacks, which have also hit companies and federal entities, have spared no kind of municipal issuer large or small, from police departments to school districts and transit agencies. Ransomware attacks on state and local governments and their agencies have risen in proportion with the overall increase, according to cyber insurance provider Beazley Group.

“State and local governments are a huge target, quite frankly an easy target for bad guys,” said Bob Anderson, managing director for information security at Navigant management consulting firm in Washington and a former global cyber investigator at the Federal Bureau of Investigation.

Last month’s “WannaCry” ransomware attack, which hobbled global businesses and Britain’s National Health Service, may also be prompting renewed focus on cyber security, though it had minimal impact in the United States.

Considering a potential cyber attack as a similar risk to a natural disaster, S&P has already been reviewing cyber security defenses of utilities, hospitals and colleges because they were early public sector targets for hackers.

FILE PHOTO: An advertisement about the Microsoft Cybercrime Center plays behind a window reflecting a nearby building at the Microsoft office in Cambridge, Massachusetts, U.S. May 15, 2017. REUTERS/Brian Snyder/File Photo

Now it is also beginning to ask cities and states about the costs and level of security measures and the financial impact of successful attacks, said Geoffrey Buswick, who manages S&P’s public sector ratings.


The answers feed into broader categories that affect an issuer’s ratings, particularly governance, liquidity and operations.

Many breaches are handled quickly and financial damage is limited, but not every attack will necessarily end that way, Buswick said. “We’re trying to get sense of who has their head in the sand and who doesn’t.”

Fitch Ratings said it does not consider cyber security in its ratings, and many investors still are not concerned enough to ask for details.

In part, that is because it can be difficult to assess the operational and financial fallout of such attacks. Some high profile breaches so far have also done limited damage to issuers’ finances.

Case in point is the state of South Carolina, which in August 2012 suffered possibly the worst cyber attack yet of any city or state.

When hackers stole the personal data of more than 3.5 million taxpayers, the state had to investigate, provide credit monitoring and consumer fraud protection, and implement a slew of post-breach upgrades, according to State Senator Thomas Alexander.

The total cost is around $76 million and counting, he said. That is enough to pay for several school programs combined. But against South Carolina’s annual general fund budget of roughly $8 billion, the costs made no dent in its standing as a borrower.

Many issuers do not disclose any information to potential investors in bond documents about cyber risks or defenses. But a few, particularly hospitals and utilities, have started doing so.

In a February prospectus, the Maryland Health and Higher Educational Facilities Authority, the state’s largest public debt issuer, included nearly a full page devoted to the growing risk of cyber attacks.

“Because we’re such a large issuer, and because healthcare is often treated much more like a corporate credit, the legal counsels to the transaction weigh in on the bondholder risk section,” said Annette Anselmi, the authority’s Executive Director, noting that such disclosures also evolve depending on what kinds of questions the market is asking.

Hospitals are also ahead on cyber security disclosure because they rely on huge amounts of data, said Court Street Group analyst Joseph Krist.

Eventually, he expects others to follow suit.

“We went through this with getting munis to ... disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.”

Reporting by Hilary Russ; Additional reporting by Jim Finkle in Toronto; Editing by Daniel Bases and Tomasz Janowski