MTA scare highlights public finance cyber woes

BY SourceMedia | MUNICIPAL | 06/07/21 09:52 AM EDT By Paul Burton

Subway safety in New York took on a new meaning when the Metropolitan Transportation Authority acknowledged a cyber intrusion, which set off loud alarm bells about the rising threat of system hacks.

The MTA is one of the largest municipal issuers and reports linked China's government to the episode.

Despite MTA officials? assurances of quick troubleshooting and no evidence of compromise to its operational systems, employee or customer information, this marked the latest chilling cybersecurity event for public finance.

?It was hospitals in the fall. Over the winter it was a municipal water system. Now a series of transit agencies are the targets,? municipal bond analyst Joseph Krist said.

One positive, according to Krist, is that the MTA was able to hold the cost of recovery to ?a very manageable number? and did not pay a ransom.

?It is not clear what more can be done to prevent ransomware hacks short of tightening cyber security,? said Chris Low, chief economist at FHN Financial.

The MTA, which carries $50 billion of debt including special credits, operates New York City?s massive subway-and-bus system, two commuter railroads and several interborough bridges and tunnels.

According to Moody?s Investors Service analyst Baye Larsen, this highlights the rising credit risk for U.S. infrastructure systems, and the importance of continued investment in cybersecurity.

?MTA has steadily increased its investment in cybersecurity over the past few years, leading to strong cyber practices that limited the impact of the breach,? she said.

Hackers with links to the Chinese government targeted the MTA in April, the New York Times (NYT) reported, citing an MTA document.

According to MTA officials, the Federal Bureau of Investigation, the Cybersecurity Infrastructure Agency and the National Security Agency issued a joint alert at 8 p.m. April 20 about a zero-day vulnerability, which means no one in the world was aware of the attack when it happened.

CISA issued recommendations for fixes and patches and the authority implemented them immediately using its 24-hour protocol.

According to the MTA, only three of its 18 different systems were affected.

When the CISA alert first came out it included four vulnerabilities, three of which the MTA had already patched, an authority official said.

?The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,? MTA chief technology officer Rafail Portnoy said in a statement.

?Importantly, the MTA?s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat.?

These attacks have been on the rise of late.

Amid COVID-19, cyber attacks struck 560 healthcare facilities last year, according to the Emsisoft State of Ransomware report. That included Universal Health Services (UHS), which operates about 400 hospitals nationwide.

At a treatment plant in Oldsmar, Florida, an intruder in February boosted the level of sodium hydroxide ? or lye ? in the water supply to 100 times higher than normal. JBS, the world?s largest meat-processing company, had to briefly shut down its operations. The FBI in a statement identified Russian-connected groups REvil and Sodinokibi as behind that hack.

In May, Colonial Pipeline halted 5,500 miles of pipeline, creating severe fuel shortages along the East Coast. The FBI attributed the targeting to criminal ransomware organization Darkside.

Cybersecurity risks are hard to quantify, according to Kroll Bond Rating Agency.

?Although the costs and benefits of a good cybersecurity program are sometimes hard to measure, the downside is substantial,? Kroll said.

Kroll views cybersecurity matters as a key governance matter that reflects management?s priorities and can affect operations.

?Although limited resources can be a constraint, they do not rule out improvements to cybersecurity programs,? Kroll said. ?Basic improvements to employee training, for example, can provide many benefits and is generally not expensive to implement.?

In general the bond market is volatile, and fixed income securities carry interest rate risk. (As interest rates rise, bond prices usually fall, and vice versa. This effect is usually more pronounced for longer-term securities.) Fixed income securities also carry inflation risk and credit and default risks for both issuers and counterparties. Unlike individual bonds, most bond funds do not have a maturity date, so avoiding losses caused by price volatility by holding them until maturity is not possible.

Lower-quality debt securities generally offer higher yields, but also involve greater risk of default or price changes due to potential changes in the credit quality of the issuer. Any fixed income security sold or redeemed prior to maturity may be subject to loss.

Before investing, consider the funds' investment objectives, risks, charges, and expenses. Contact Fidelity for a prospectus or, if available, a summary prospectus containing this information. Read it carefully.