Content and data provided by various third parties and Fidelity - Terms of Use
Print.Print
Small font size A Larger text size A Largest text size A

Muni market faces elevated cyber risk as war rages in Middle East

BY SourceMedia | MUNICIPAL | 11:34 AM EDT By Jennifer Shea

As the hostilities with Iran roil geopolitical tensions, some muni market participants worry about elevated cyber risk.

U.S. public finance entities could see heightened "cyber reprisals" by Iran and its proxies amid the continuing conflict in the Middle East, with these attacks from Iranian state-sponsored actors, hacktivist groups, and lone wolves becoming more frequent, Fitch Ratings warns.

"It's clear that there is activity, that there is at least the intention of leveraging and utilizing Iran's cyber capabilities," said Omid Rahmani, public finance cybersecurity lead at Fitch.

Analysis from computer security service Intel (INTC) 471 found escalating tensions have led to a surge of hacktivist activity, with Israel, the U.S. and the Gulf region the most frequent targets. However, it's unclear how many of these attacks, if any, targeted U.S. public finance entities and whether they had any effect.

"There is absolutely elevated cyber risk," said Nixon Peabody partner Jason Kravitz, leader of the law firm's cybersecurity and privacy team.

"Modern warfare takes many forms, and cyber attacks represent one of the tools countries can employ," he said. "Iran is a well-known cyber provocateur. Given current hostilities in the Middle East, Iran and other countries could be targeting adversaries with cyber attacks."

"Risks include distributed denial-of-service attacks, financially motivated campaigns, and attacks that seek to cause physical disruption or destruction. Attacks on infrastructure ? such as power or water systems ? can create downstream risks for other sectors," Fitch said.

The severity of potential attacks will depend on the effectiveness of the degradation of the Iranian regime's cyber force capabilities. There was success in the early days of the fighting, but that is no guarantee it will continue. The ultimate outcome will also affect Iran's cyber capabilities, Rahmani said.

"It's something that they've paid attention to. They have some experience in conducting these attacks, [and they are] generally pretty low-risk and high-reward because your personnel doesn't need to be directly engaged," he said of these bad actors, hacktivist groups and lone-wolf attackers, noting damage can be done from anywhere.

Not everyone agrees that cyber risk has been elevated, with one unnamed source believing the risk has always been at this level, but the global awareness of a localized threat has heightened.

Cyber risk is not always at the front of the mind, but now with war in the Middle East, the fear of cybersecurity risk has market participants looking at it more closely, the source said.

"We've known for a decade that war is going to be carried out with attacks beyond bombs. It's going to be data. As much as security of physical assets is important, data security is also important," the source said.

The current elevated cyber risk should be viewed as an "idiosyncratic credit consideration" rather than a systemic risk to the muni market, argues Tom Kozlik, managing director and head of public policy and municipal strategy at HilltopSecurities.

"Sector to sector or issuer to issuer, [cyber risk] is already embedded in the credit profile," as issuers in certain regions and sectors have taken steps to make their credit profiles more resilient to prevent that type of attack, he said.

Columbus, Ohio, for example, is seeing the same cyber threats ? ransomware, phishing, social engineering ? but the risk is elevated because of the increased incentive for retaliation by state-sponsored groups or hacktivists aligned with them, said Tom Noorkah, director of financial systems at the Columbus auditor's office.

"They have proxies that want to act on their behalf," he said of Iran, pointing to supply chain vulnerabilities that may drive costs up for municipalities.

Local governments are probably not as big a primary target as defense agencies and defense contractors, Noorkah noted. But "they look for where the vulnerabilities are," he said. "If there are known things on the dark web ? say, there are weaknesses in a U.S. municipal government, they might go after that. Cameras are typical ways in ? somebody wants to get into your network, sometimes that's the weakest line of defense."

"Public finance issuers are targets given the essential services they provide, IT system vulnerabilities, and data collection. Smaller, resource-constrained public finance entities are particularly vulnerable, as federal cybersecurity resource reductions may hinder robust defense, coordination, and response," Fitch said.

Local infrastructure, Rahmani argued, has been a "favorite target" in the past from nation-state bad actors.

In 2013, Iranian hackers breached the control system of the Bowman Avenue Dam in Rye Brook, New York, as part of a wider campaign against U.S. financial institutions.

A decade later, in late 2023, after the events of Oct. 7, Iran-backed actors launched a sustained campaign against local water utilities in the U.S. These bad actors gained access to the IT systems of several dozen water utilities and posted political messaging, Rahmani said.

"Every sector should assume it could be a target, particularly those sectors whose vulnerability would create a strategic advantage for the attacker," Kravitz said.

Healthcare and the power sector are among the best sectors to weather cyberattacks because of federal support in a post-9/11 world and experience, Rahmani said.

However, federal investment has been uneven across sectors, with other critical infrastructure sectors receiving less financial support, Rahmani said.

Fitch's warning comes at a time when the Cybersecurity and Infrastructure Security Agency has shed one-third of its workforce over the past year or so.

With this reduction, the muni sector is in a position to take more direct responsibility for defense than before, Rahmani said.

"Issuers need to be more cognizant of their unique cyber risk for their organization and be doing things to try to offset that, not necessarily relying on the fact that there was some federal cavalry force that's right at their doorstep, ready to come in if something happens," he said.

At the end of the day, Noorkah said, standard mitigation tactics still apply: educating end users to resist phishing attacks, patching systems to keep them current, using multi-factor authentication. He advised heightened vigilance in light of the amplified threat.

"These [attacks] could come in now ? it could be a direct attack, a denial of service or something ? or it could come in later, through these proxies," he said.

More Fixed Income News

All Fixed Income News

In general the bond market is volatile, and fixed income securities carry interest rate risk. (As interest rates rise, bond prices usually fall, and vice versa. This effect is usually more pronounced for longer-term securities.) Fixed income securities also carry inflation risk and credit and default risks for both issuers and counterparties. Unlike individual bonds, most bond funds do not have a maturity date, so avoiding losses caused by price volatility by holding them until maturity is not possible.

Lower-quality debt securities generally offer higher yields, but also involve greater risk of default or price changes due to potential changes in the credit quality of the issuer. Any fixed income security sold or redeemed prior to maturity may be subject to loss.

Before investing, consider the funds' investment objectives, risks, charges, and expenses. Contact Fidelity for a prospectus or, if available, a summary prospectus containing this information. Read it carefully.

© 1998 – 2014 FMR LLC.

All rights reserved.
fir_news_article