Cyber risk a concern for municipalities; tight labor market seen contributing to vulnerability

26 December 2018

Cyber risk is a worry for municipal bond investors, and the tight labor market hasn’t helped, T. Rowe Price municipal credit analyst Linda Murphy said in an Interview with Debtwire Municipals.

 

Competition for talented Information technology (IT) professionals makes it difficult, particularly for local governments, to guard their IT systems from threats, Murphy, a T. Rowe Price vice president, said. The US unemployment rate remained at 3.7% in November, according to a release from the US Department of Labor’s Bureau of Labor Statistics.

 

“With the unemployment rate so low, I think it’s hard for localities to hire a strong tech person,” she said. “They’re in such high demand, and so I think that over the years – localities in particular – their systems are outdated and probably more susceptible.”

 

Donald F. Norris, professor emeritus of public policy at the University of Maryland, Baltimore, agreed.

 

“Most local governments find it difficult to pay competitive salaries to technology staff because salaries in the private sector are so much higher than those that local governments can pay,” Norris said in an email to Debtwire Municipals. “When the labor market gets tight, this exacerbates the problem.”

 

Most governments, as well as many private sector firms, aren’t giving enough attention to cybersecurity, he said.

 

“But, the reality of the cyber world today is that even the most well-prepared organization is likely to [be] breached at some point because the bad guys are very good, very persistent and seem to stay at least one step ahead of the good guys who are defending against them,” the professor said.

 

And those attacks can be expensive. A federal grand jury returned an indictment unsealed on 28 November charging two Iranian men in an international computer hacking and extortion scheme involving ransomware, according to a US Department of Justice press release. The indictment alleges that the men authored malware known as “SamSam Ransomware” and used it to encrypt data on victims’ computers. They acted from inside Iran, the release said.

 

The ransomware deployment – which targeted hospitals, municipalities and public institutions – caused more than USD 30m in losses, the release alleged. The more than 200 victims included the cities of Atlanta, GA and Newark, NJ as well as the Port of San Diego in California and the Colorado Department of Transportation, the release said.

 

But smaller issuers aren’t immune. In February, Allentown, PA, announced that “a malware breach” was discovered in its computer system and that the city’s information systems staff had determined that “curing the infection was going to be beyond its scope,” prompting the city to bring in a team from Microsoft, according to a 20 February news release on the city’s website.

 

A successful cyberattack can bring down part of a government’s IT system or all of it, Norris said. It can be held for ransom, damaged or worse, depending on what’s breached and why.

 

“Think, for example of a successful terrorist attack on a water filtration plant or a traffic light control system,” Norris said. “Any of these breaches can be costly – for example to have to pay ransom or to have to spend the time, effort and money to recover from a breach where no ransom is involved.”

 

Still, the professor hasn’t seen anything to suggest that the damage to a local government’s budget would be more than short-term, he said.

 

“However, this does not mean that something much worse and much more costly might not happen sometime, though I think such an event would likely be very rare,” Norris said.

 

A USD 4.755m tranche of City of Allentown Series A of 2015 general obligation bonds due in 2045 last traded in small lots on 19 October at 97.499 to 96.099 to yield 4.002% to 4.09%, according to Electronic Municipal Market Access (EMMA), which did not show a Fitch Ratings rating for the bonds. Moody’s Investors Service assigned an underlying rating of A3, while S&P Global Ratings assigned an underlying rating of A, according to their respective websites.