Havoc-based cyber risk stalking public finance

BY SourceMedia | MUNICIPAL | 07/17/24 03:02 PM EDT By Scott Sowers

The threat of cybercrime perpetrated against municipalities continues to mutate into more sophisticated and life-threatening schemes.

"If I had to tell you what keeps me up at night, it's not necessarily the garden variety ransomware," said Omid Rahmani, an associate director for U.S. public finance at Fitch Ratings "It's the advanced, nation-state, havoc-based attacks. These are attacks with the sole purpose of causing physical damage, disruption, sabotage, all the way up to and including loss of life."

The comments came at a conference dedicated to cybersecurity hosted by Hilltop Securities on Tuesday in Dallas.

The Cybersecurity & Infrastructure Security Agency includes the Chinese, Russian, North Korea and Iranian governments, as hostile nation states bent on cyber mischief including "espionage, data theft, and network/system disruption or destruction." Threats are now divided into those looking for ransom and others designed to create havoc.

The academic community has also taken an interest on cyber threats aimed at municipalities.

According to a published paper reviewed as part of the Brookings 13th annual Municipal Finance Conference on Wednesday, "State and local governments are attractive cybercrime targets because of inadequate cybersecurity and ample access to sensitive information."

The paper is authored by Filippo Curti, Ivan Ivanov, who are Fed economists, and Marco Macchiavelli and Tom Zimmermann, who are university economists.

The authors go on to say, "We show that external data breaches translate to higher financing costs for governments, including negative abnormal bond returns in the secondary market and higher offering yields and bond pricing uncertainty in the primary market."

Rahmani ties the lack of security in local governments to a shortage of human resources. "The muni sector is one of those situations where it truly is low hanging fruit because resources are very limited" he said.

"Staffing is very limited in one of the most competitive markets in the world. The impact is high if you're trying to create havoc."

The vulnerabilities of smaller governmental entities also make them susceptible to attacks that don't have a specific target in mind.

"Individual organizations or entities are not always specifically targeted," said Tom Kozlik, managing director and head of public policy and municipal strategy for Hilltop. "Hackers will write a virus or use a program that is sent out to dozens or hundreds or thousands of entities in a particular geographic area or a particular sector."

Recent history is peppered with real world attacks including a February strike on Change Healthcare systems, a medical billing intermediary that handles about 6% of all U.S healthcare system payments. On Tuesday the firm's parent company announced that costs of the breach had reached nearly $2.5 billion.

In March, S&P Global Ratings addressed the implications by saying, "The credit impact could vary across rated providers, depending on credit specifics such as liquidity and reserves, ability to put workarounds in place, and the time it takes for Change Healthcare's systems to be operational."

Hospitals and healthcare providers are especially problematic for cyber-crime fighting.

"The healthcare sector owns and stores the most valuable type of personally identifiable information in the world," said Rahmani. "Personal health data trafficked on the dark web has a monetary value. Health PII has one of the highest amounts attached to it."

In January, Fulton County Georgia, absorbed a ransomware-based cyber-attack that turned off government phone lines, while stalling car registrations and the issuance of marriage licenses.

Moody's shrugged off any long-term effects on the county's Aa1 bond rating in February.

"The cyberattack's immediate credit implications are likely to be limited but could evolve depending on the duration of the disruption and cost of service restoration," Moody's said.
"Notably, county officials have confirmed the event did not prevent the county from making a February 1 interest-only bond payment on time and in full."

The threat was eventually neutralized in early March.

The rising costs of fighting off cyber threats are showing up in the insurance premiums being paid to shift the risk of a strike.

In March, S&P reported that "Escalating cyber security risks for U.S. public sector entities have increased the cost of protection. Skyrocketing premiums have driven many public sector entities, especially smaller municipal governments, out of the market for cyber insurance."

The agency noted that many local governments circumvented the higher costs by forming cyber risk pools functioning as consortiums that offer lower-cost cyber risk insurance while also providing mutual support to public sector entities' cyber security efforts.

By May S&P noted that insurance capacity was on the rise and premiums were dropping.

Qualifying for insurance has now become part of the equation. "We're at the point where cyber insurance is not just become unaffordable for small to medium sized issuers," said Rahmani. "It's frankly unavailable, as in, they just don't meet the basic criteria of cyber readiness to qualify for insurance."

In general the bond market is volatile, and fixed income securities carry interest rate risk. (As interest rates rise, bond prices usually fall, and vice versa. This effect is usually more pronounced for longer-term securities.) Fixed income securities also carry inflation risk and credit and default risks for both issuers and counterparties. Unlike individual bonds, most bond funds do not have a maturity date, so avoiding losses caused by price volatility by holding them until maturity is not possible.

Lower-quality debt securities generally offer higher yields, but also involve greater risk of default or price changes due to potential changes in the credit quality of the issuer. Any fixed income security sold or redeemed prior to maturity may be subject to loss.

Before investing, consider the funds' investment objectives, risks, charges, and expenses. Contact Fidelity for a prospectus or, if available, a summary prospectus containing this information. Read it carefully.

fir_news_article