Disclosing Cybersecurity Risks in Municipal Bond Issuance
As more cities and municipalities issue municipal bonds to fund public projects and infrastructure, the importance of cybersecurity in municipal bond issuance is becoming increasingly apparent. Cybersecurity risks can have significant financial and reputational implications for both the issuer and the bondholder, making it crucial for issuers to disclose these risks in a transparent manner. In this article, we will analyze the key cybersecurity factors that impact municipal bond issuance, including the city of Baltimore and its ransomware attack in 2019, and explore the tradeoffs involved in balancing risk and transparency.
The Risks of Cybersecurity in Municipal Bond Issuance
Municipal bond issuers are responsible for safeguarding the sensitive financial and personal information of bondholders. Failure to protect this information from cyberattacks can result in:
- Financial losses: Data breaches can expose financial information, leading to fraud and identity theft. Ransomware attacks can cripple operations and necessitate costly ransom payments.
- Reputational damage: News of a cyberattack can erode public trust and investor confidence, impacting future bond issuances.
- Disruption of services: Cyberattacks can shut down essential municipal services, impacting residents and businesses alike.
Cybersecurity threats can range from hacking and data breaches to ransomware attacks, which can result in the loss of sensitive data or even the complete shutdown of operations. In addition, the disclosure of cybersecurity risks is required by the Securities and Exchange Commission (SEC) and failure to do so can result in legal and financial consequences for the issuer.
The City of Baltimore Ransomware Attack
In 2019, the city of Baltimore experienced a high-profile ransomware attack that impacted city services and operations, including its ability to issue municipal bonds. The attack resulted in a loss of critical data and caused significant disruption to the city’s financial systems. In response, the city disclosed the attack in its bond offering documents and disclosed its efforts to address the issue. While this approach was lauded for its transparency, it also highlighted the challenges of balancing transparency with the potential negative impact on bond prices.
The Suffolk County Cyber Attack
In September 2022, Suffolk County, New York, experienced a ransomware attack that compromised the county’s records, including personal information. As a result, several government services were temporarily shut down, including online payment systems for traffic tickets, and the county’s email and web-based services were taken offline. The county is currently collaborating with cybersecurity firms and other agencies to assess the extent of the damage and restore the affected systems.
The ALPHV/BlackCat ransomware group is responsible for the attack, and they have demanded a “small reward” from the county to prevent the release of more than 4 TB of stolen data. However, the county has chosen not to pay the ransom and instead opted to take itself offline. While most of the county’s systems are now back online, some workarounds remain in place to ensure the continued safety and security of all users.
Balancing Risk and Transparency
While cybersecurity risks must be disclosed in municipal bond offerings, the level of detail and transparency can vary. Issuers must balance the need for transparency with the potential negative impact on bond prices, providing context and allowing investors to understand what is being done to address ongoing risks can help reduce the perceived risk and increase investor confidence. Best Practices for Responsible Disclosure include:
- Conduct regular risk assessments: Proactively identify vulnerabilities and implement appropriate safeguards to minimize the risk of cyberattacks.
- Develop a comprehensive cybersecurity policy: Establish clear guidelines for data security, incident response, and employee training.
- Engage with relevant stakeholders: Collaborate with cybersecurity experts, rating agencies, and investors to ensure effective risk management and communication.
- Disclose risks transparently: In offering documents, clearly outline the potential cybersecurity threats, mitigation strategies in place, and the potential impact on operations and finances. Avoid overly technical language and focus on providing investors with a clear understanding of the risks and issuer’s approach to addressing them.
- Utilize resources available to you: Tools like MuniProfile can help issuers track their cybersecurity score and improve transparency for investors. Cybersecurity has become an undeniable reality in the modern world, and the municipal bond market is no exception. By acknowledging the risks, implementing robust cybersecurity measures, and disclosing them transparently, issuers can build trust with investors and ensure the continued success of critical infrastructure projects that benefit communities across the country.
MuniProfile provides muni bond issuers with easy-to-understand investor relations websites, improved investor transparency, custom roadshows, and investor analytics all to help drive demand for their bond sales.
The Importance of Considering Impact
When disclosing cybersecurity risks, it is important for issuers to consider the potential impact on their operations and finances. Issuers should conduct regular risk assessments and implement appropriate safeguards and mitigation strategies to minimize the risk of cyber threats. In addition, issuers should consider the impact on their reputation and the potential impact on bond prices. By taking a proactive approach to cybersecurity and considering the potential impact on all stakeholders, issuers can balance risk and transparency in a way that promotes investor confidence and protects their financial interests.
Conclusion
Cybersecurity risks are a critical consideration in municipal bond issuance, and issuers must balance risk and transparency to protect their financial interests and maintain investor confidence. The city of Baltimore’s ransomware attack serves as a cautionary tale of the potential consequences of cybersecurity risks and highlights the importance of proactive risk management and transparent disclosure. By considering the impact of cybersecurity risks on their operations and finances, issuers can strike a balance between risk and transparency that promotes investor confidence and protects their financial interests.