- Managed Security Services
- Cybersecurity Solutions
- Site Security Assessment
- Vendor IT Audits
- Risk Analysis
- Disaster Recovery
- Business Continuity
- Data Recovery
- Policies and Procedures; Training
- Disaster Response Coordination and Management
- Data breach notification(s)
- IT Security Assessment
- vCISO Engagement
- Business Strategy
- Threats and Intelligence
- On site training, including Periodic Dry Runs
Cybersecurity and Cybercrime Concerns for Municipal Entities
One last reference to Armolon’s recent participation as a cybersecurity panelist at the National Muni Bond Summit in Nashville, Tennessee. The Summit is a national and annual event organized by the Bond Dealers of America (BDA) and The Bond Buyer.
The large majority of conference participants were municipal issuers of U.S. municipal bonds (primarily tax-exempt bonds to finance municipal infrastructure), and, of course, related bond broker-dealer underwriters and lawyers.
Some of you are aware that most of my professional career was spent as a public finance investment banker, or, separately, as bond counsel/disclosure counsel for municipal issuers, or underwriter’s/disclosure counsel for members of the bond underwriting community. Therefore, I have a keen interest in highlighting potential cybersecurity/cybercrime issues that municipal issuers and their investment bankers should consider.
Along these lines, while participating on the panel, it became clear to me that many of the participants may also appreciate an update on why cybersecurity/cybercrime understanding is critical for all parties participating in municipal bond underwriting (i.e. the municipal issuer, the broker-dealer bond underwriter, and the attorneys).
I am a “bullet point” writer, so here goes:
- Reputational Risk – All municipalities want to be referred to in the following sentence – “This [town, city, county, state] is an ideal place to live and raise a family.” Where once the reference was primarily to quality jobs, schools, parks, green areas, transportation, and reasonable/formula-transparent property taxes, the reference now also includes a municipality that is sensitive and responsive to cybersecurity/cybercrime issues. Municipalities and their agencies/utilities maintain a large volume of sensitive information about residents – i.e. property taxes, home value, driver’s license numbers, police department records, tax and utility payment delinquency, etc. Neither the municipality nor the resident wants to be a target of a hack – the municipality and the resident suffer embarrassment and significant reputational damage, and, probably worse, the resident(s) gets extremely angry at the municipality.
- Inundation – I thought I made up this word. Municipal officials and boards are extremely busy, and often have little time and funds to spend on all the issues presented to them. They are inundated with salespersons selling, among other things, computers, latest software, and advice. In many cases, the municipality cannot afford to maintain a “computer/software/cybersecurity expert” on staff. As a result, with all that is going on, cybersecurity/cybercrime issues take a back seat – until “backseat” is not an option. The City of Atlanta, Georgia, malware/ransomware attack is a good reference point of what can happen. See related New York Times articles here and here.
- Compliance with Growing Array of Regulatory and Credit Concerns – As noted above, cybersecurity/cybercrime is not just a for-profit corporate concern. Local, State and Federal cybersecurity data breach rules may also have an impact on municipal bond issuers. Although cybersecurity/cybercrime is not “new”, the abundance of references to it is a relatively recent phenomena. Two critical items for bond issuers:
- It is clear that the major bond rating agencies are not, as yet, using a municipal issuer’s response to the cybersecurity/cybercrime threat as a critical component in the rating process. My public finance investment banker experience tells me, however, that the question will come up during the rating process, and that a municipality’s cybersecurity/cybercrime efforts (be they many, few or nonexistent) can to some degree have a positive or negative influence. See, from Moody’s Investors Service, Credit Implications of Cyber Risk Will Hinge on Business Disruptions, Reputational Effects 2/2019 here and Washington State Cyber Security Audits Help Mitigate Risk From Growing Threat 8/2018 here. A good investment banker will advise her client that the rating agencies favor a municipality that “runs its municipal business as a successful for-profit corporation runs its business”. What such well-run corporation does not have a credible and fluid response to the cybersecurity/cybercrime threat?
- In reference to the “I knew that” file, just a reminder. Basically, every bond issuer may be subject to a variety of Federal/State data accumulation and maintenance rules (e.g., HIPPA, FBI, U.S. Treasury, Department of Homeland Security, the U.S. Securities and Exchange Acts of 1933 and 1934, and, of course, the U.S. Securities and Exchange Commission (when bonds are sold)(SEC)). In addition, unlike the European Union with its May 1, 2018 effective date General Data Protection Regulation (GDPR), the United States does not have any all-encompassing federal personal data protection legislation (although some have been proposed). Several States and their agencies have applicable rules and regulations, but all in all, U.S. cybersecurity rules are a “patchwork”, which, in some cases, may be applicable to municipal bond issuers. These facts and others present a full array of issues that should be discussed with the municipality’s local counsel, bond counsel and disclosure counsel.
- Disclosure — The municipal entity’s or the bond underwriter’s disclosure counsel should by now be very aware of the issues that arise if a municipal issuer does or does not mention cybersecurity in offering documents. From the “thank you, but what are you trying to say … ”-category short paragraph in the recent City of New York general obligation bonds official statement (see footnote below), to the several detailed paragraphs in others, keep the disclosure counsel’s feet to the fire. Full (which does not necessarily mean “long”) and accurate disclosure is not only the rule, but also critical to protecting the investor, the municipal entity staff/board, and the bond underwriter. With regard to proper disclosure, remember — there does not need to be a financial loss in order for the SEC to take action for failure to disclose.
- Legal Authority – Here is some language from my April 2, blog. “With regard to municipal entities, it is important to remember that all municipal entities are creatures of the given state’s constitution and legislation – that is, a municipal entity can only act in a manner consistent with statutory authority. As a result, several critical questions come up in ransom demand situations, which include, does the municipal entity have authority to (i) negotiate a ransom demand, (ii) open and hold a crypto currency account (most ransom demands are paid with crypto currency), and (iii) pay the ransom demand in United States dollars or in crypto currency (along the line of participating in a criminal enterprise). In most states, the answer to all these questions is initially “no”.
- Funding — No matter who you work for, funding for a project or effort is a hugely delicate issue, and needs to be approached in a strategic way. The municipal attorneys, bond counsel and investment bankers can be helpful here. As bond counsel or as an investment banker, I lived by the axiom that “there is always a way to fund it or something very much like it”. Cybersecurity/cybercrime issues will not go away, and are becoming even more critical day-by-day. Finding funding can be extremely difficult, but explore all options to take to the board or council. Use your professional funding folks.
Finally, remember that there are two broad categories of cybercrime goals – (i) to disable the target computer or knock it off-line, or, (ii) to access the target computer’s data and gain administrative privileges. The ransomeware activity in Atlanta, a form of malicious system interference (Malware), was primarily the latter. Ninety-two percent (92%) of these attacks begin with a cybercriminal doing her homework and obtaining initial access to a system through so-called “social engineering” (e.g., phishing by means of email, with access leading to worms, trojans, viruses and bots) – see 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys.