As more cities and municipalities issue municipal bonds to fund public projects and infrastructure, the importance of cybersecurity in municipal bond issuance is becoming increasingly apparent. Cybersecurity risks can have significant financial and reputational implications for both the issuer and the bondholder, making it crucial for issuers to disclose these risks in a transparent manner. In this article, we will analyze the key cybersecurity factors that impact municipal bond issuance, including the city of Baltimore and its ransomware attack in 2019, and explore the tradeoffs involved in balancing risk and transparency.
The Risks of Cybersecurity in Municipal Bond Issuance
Municipal bond issuers are responsible for safeguarding the sensitive financial and personal information of bondholders, and failure to do so can result in significant financial and reputational damage. Cybersecurity threats can range from hacking and data breaches to ransomware attacks, which can result in the loss of sensitive data or even the complete shutdown of operations. In addition, the disclosure of cybersecurity risks is required by the Securities and Exchange Commission (SEC) and failure to do so can result in legal and financial consequences for the issuer.
The City of Baltimore Ransomware Attack
In 2019, the city of Baltimore experienced a high-profile ransomware attack that impacted city services and operations, including its ability to issue municipal bonds. The attack resulted in a loss of critical data and caused significant disruption to the city’s financial systems. In response, the city disclosed the attack in its bond offering documents and disclosed its efforts to address the issue. While this approach was lauded for its transparency, it also highlighted the challenges of balancing transparency with the potential negative impact on bond prices.
The Suffolk County Cyber Attack
In September 2022, Suffolk County, New York, experienced a ransomware attack that compromised the county’s records, including personal information. As a result, several government services were temporarily shut down, including online payment systems for traffic tickets, and the county’s email and web-based services were taken offline. The county is currently collaborating with cybersecurity firms and other agencies to assess the extent of the damage and restore the affected systems.
The ALPHV/BlackCat ransomware group is responsible for the attack, and they have demanded a “small reward” from the county to prevent the release of more than 4 TB of stolen data. However, the county has chosen not to pay the ransom and instead opted to take itself offline. While most of the county’s systems are now back online, some workarounds remain in place to ensure the continued safety and security of all users.
Balancing Risk and Transparency
While cybersecurity risks must be disclosed in municipal bond offerings, the level of detail and transparency can vary. Issuers must balance the need for transparency with the potential negative impact on bond prices, providing context and allowing investors to understand what is being done to address ongoing risks can help reduce the perceived risk and increase investor confidence. As such, it is important for issuers to consider the impact of cybersecurity risks on their operations and finances and disclose these risks in a transparent but helpful manner.
Tools like MuniProfile make it easy for issuers to keep track of their score, and improve it when needed, while maintaining transparency with their investors.
MuniProfile provides muni bond issuers with easy-to-understand investor relations websites, improved investor transparency, custom roadshows, and investor analytics all to help drive demand for their bond sales.
The Importance of Considering Impact
When disclosing cybersecurity risks, it is important for issuers to consider the potential impact on their operations and finances. Issuers should conduct regular risk assessments and implement appropriate safeguards and mitigation strategies to minimize the risk of cyber threats. In addition, issuers should consider the impact on their reputation and the potential impact on bond prices. By taking a proactive approach to cybersecurity and considering the potential impact on all stakeholders, issuers can balance risk and transparency in a way that promotes investor confidence and protects their financial interests.
Cybersecurity risks are a critical consideration in municipal bond issuance, and issuers must balance risk and transparency to protect their financial interests and maintain investor confidence. The city of Baltimore’s ransomware attack serves as a cautionary tale of the potential consequences of cybersecurity risks and highlights the importance of proactive risk management and transparent disclosure. By considering the impact of cybersecurity risks on their operations and finances, issuers can strike a balance between risk and transparency that promotes investor confidence and protects their financial interests.