A Quick Cybersecurity and Municipal Bonds UpdateJim Colby, Portfolio Manager and Strategist, Municipal BondsApril 05, 2019
Back in August and September 2017, we published a three-part series of Muni Nations entitled Cybersecurity and Municipal Bonds. In it we explored the intersection between cybersecurity and the municipal bond market. We concluded, amongst other things, that cybersecurity standards that safeguard municipal lenders are critical.
It is perhaps no coincidence that in the past week to ten days there have been articles in The New York Times, as well as a segment on CBS News’ 60 Minutes, concerning “cyber” in various contexts. Increasingly, more attention is being paid to concerns in this area.
Since we wrote last, here are some municipal cybersecurity incidents that were reported in 2018 (who knows how many weren’t?): mostly in February and March—for some reason:
- City of Leeds, Alabama: Ransomware attack—loss of computers
- City of Atlanta: Ransomware attack—loss of computers
- Colorado, Department of Transport (DoT): Ransomware—loss of computers
- Baltimore: Cyberattack on 911 dispatch system—temporary disruption
Damage sustained varied from serious disruptions to service and business-as-usual, to losses of data and, of course, any ransoms paid. The costs to Colorado associated with the attack on its DoT were estimated to be well over $1 million and those to Atlanta more than $20 million.1
In the corporate space probably the most egregious incident has to have been the massive data breach at Marriott in which, amongst other things, 327 million people had such information as their names, telephone numbers, email addresses, and passport numbers exposed.
And only the other morning (March 19), reports were coming in of a cyberattack at the one of Europe’s largest aluminum producers, Norsk Hydro. Quoted in the Financial Times,2 Eivind Kallevik, the company’s finance director said: “The situation for Hydro through this is quite severe. The entire worldwide network is down.” The ransomware used appears to be the same that was used against French company Altran Technologies (a leading engineering and consulting firm) earlier this year.
Is Anything Being Done About It?
From where we sit here in Midtown Manhattan, the answer seems to be: “Not that much—that we can see.” Now, of course, we may be wrong. But if anything really significant is actually being done, we have yet to learn about it.
Since we last wrote, we have had some very smart people come by the offices to chat about a number of different sorts of ratings around cybersecurity for municipal bonds. All have given persuasive and certainly quite interesting pitches. But have we heard anything positive from them thereafter? No.
As we wrote before, but perhaps even more so, not only does there seem to be little sense of urgency out there, but also any incentive to do anything prophylactic, as opposed to curative, still appears totally absent—except, needless to say, to those who have already been clobbered.
A Little Light—Perhaps?
In September last year, the U.S. Government Accountability Office (GAO) published a report to “Congressional Committees” in its “HIGH-RISK SERIES” (indicative in itself!) entitled “Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation”.3
In its own words, the GAO had “identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them.”
The GAO does not mince words and what struck us so forcefully looking at these challenges and critical actions was that you could easily substitute “state”, “municipality”, “city”, “local government”, etc., where and when appropriate, for “national”, “federal”, etc., and they would be just as relevant. And important.
Here they are:
Critical Actions Needed
Establishing a comprehensive cybersecurity strategy and performing effective oversight
- Develop and execute a more comprehensive strategy for national cybersecurity and global cyberspace
- Mitigate global supply chain risks (e.g., installation of malicious software or hardware)
- Address cybersecurity workforce management challenges
- Ensure the security of emerging technologies (e.g., artificial intelligence and Internet of Things)
Securing federal systems and information
- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents
Protecting cyber critical infrastructure
- Strengthen the federal role in protecting the cybersecurity of critical infrastructure (e.g., electricity grid and telecommunications networks)
Protecting privacy and sensitive data
- Improve federal efforts to protect privacy and sensitive data
- Appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent
At least, seven months later, cybersecurity remains a concern for the administration. On March 18, describing her department’s priorities4 for the coming year, Homeland Security Secretary Kirstjen Nielsen said: “On top of my list of threats, that many of you can guess, the word ‘cyber’ is circled, highlighted and underlined. The cyberdomain is a target, a weapon and a threat vector all at the same time.”
However, when it comes to cities, towns, and other municipal governments, such concern has not been as evident. In addition, as so succinctly put in an article in The American Prospect5 last year: “Many of the problems that municipalities face do not require deep knowledge of information systems technology—there are individuals who can bring those skills set to the table—but rather a firm handle on assessing threats and making the required decisions to assure security.”
The services provided by municipal borrowers remain vital to our everyday life. The need to protect the provision of these services has become ever more critical. The effects of not doing so have become ever more apparent and the costs of remediate ever more expensive.
We believe that, when it comes to cybersecurity, despite the availability (and use) of cyber insurance, cure, as opposed to prevention, should really no longer be an option. When it comes to a credit rating, those borrowers who continue to depend upon the former should be subject to even closer scrutiny. And those who are actually doing something about cybersecurity should be rewarded.
We so look forward to updating you more positively next time. But we are not holding our breath!
On April 2, Security Affairs6 reported that, the prior weekend (starting on Saturday morning), the computer systems of the City of Albany, New York, were infected with malware in a ransomware attack. At the time of writing no further technical details were available.
1The Wall Street Journal: More U.S. Cities Brace for ‘Inevitable’ Hackers, September 4, 2019, https://www.wsj.com/articles/more-cities-brace-for-inevitable-cyberattack-1536053401
2Financial Times: Aluminium producer Norsk Hydro suffers cyber attack, March 19, 2019, https://www.ft.com/content/7d93a6be-4a36-11e9-bbc9-6917dce3dc62
3U.S. Government Accountability Office: Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation, September 2018, https://www.gao.gov/assets/700/694355.pdf
4C-Span: https://www.c-span.org/video/?458840-1/secretary-nielsen-remarks-2019-homeland-security-priorities&start=0 [Starting at 27:44]
5The American Prospect: Securing Cities from Cyber Attacks, April 18, 2019, https://prospect.org/article/securing-cities-cyber-attacks
6Security Affairs: Computer systems in the City of Albany hit in Ransomware Attack, April 2, 2019, https://securityaffairs.co/wordpress/83187/cyber-crime/city-albany-ransomware-attack.html
IMPORTANT MUNI NATION® DISCLOSURE
This content is published in the United States for residents of specified countries. Investors are subject to securities and tax regulations within their applicable jurisdictions that are not addressed on this content. Nothing in this content should be considered a solicitation to buy or an offer to sell shares of any investment in any jurisdiction where the offer or solicitation would be unlawful under the securities laws of such jurisdiction, nor is it intended as investment, tax, financial, or legal advice. Investors should seek such professional advice for their particular situation and jurisdiction.
VanEck does not provide tax, legal or accounting advice. Investors should discuss their individual circumstances with appropriate professionals before making any decisions. This information should not be construed as sales or marketing material or an offer or solicitation for the purchase or sale of any financial instrument, product or service.
Please note this represents the views of the author and these views may change at any time and from time to time. MUNI NATION is not intended to be a forecast of future events, a guarantee of future results or investment advice. Current market conditions may not continue. Non-VanEck proprietary information contained herein has been obtained from sources believed to be reliable, but not guaranteed. No part of this material may be reproduced in any form, or referred to in any other publication, without express written permission of VanEck. MUNI NATION is a trademark of Van Eck Associates Corporation.
Municipal bonds are subject to risks related to litigation, legislation, political change, conditions in underlying sectors or in local business communities and economies, bankruptcy or other changes in the issuer’s financial condition, and/or the discontinuance of taxes supporting the project or assets or the inability to collect revenues for the project or from the assets. Bonds and bond funds will decrease in value as interest rates rise. Additional risks include credit, interest rate, call, reinvestment, tax, market and lease obligation risk. High-yield municipal bonds are subject to greater risk of loss of income and principal than higher-rated securities, and are likely to be more sensitive to adverse economic changes or individual municipal developments than those of higher-rated securities. Municipal bonds may be less liquid than taxable bonds.
The income generated from some types of municipal bonds may be subject to state and local taxes as well as to federal taxes on capital gains and may also be subject to alternative minimum tax.
Diversification does not assure a profit or protect against loss.
Investing involves substantial risk and high volatility, including possible loss of principal. Bonds and bond funds will decrease in value as interest rates rise. An investor should consider the investment objective, risks, charges and expenses of a fund carefully before investing. To obtain a prospectus and summary prospectus, which contain this and other information, call 800.826.2333 or visit vaneck.com. Please read the prospectus and summary prospectus carefully before investing.