Bill would help municipalities combat cyber attacks

A bill introduced in the House of Representatives would fortify states and localities by providing grants to combat cyber attacks, an issue that has become increasingly problematic in the muni market.

Rep. Cedric Richmond, D. La., introduced the bill, the State and Local Cybersecurity Improvement Act, on Monday. The bill would authorize a new grant program at the Department of Homeland Security to take action on cybersecurity at the state and local level.

“The State and Local Cybersecurity Improvement Act is a critically important piece of legislation that provides state and local governments the tools they need to significantly invest in their cybersecurity infrastructure,” Richmond said in a press release.

Bloomberg News

The bill would establish a $400 million DHS grant program to incentivize states to increase their cybersecurity funding. The bill requires DHS’s Cyber Security and Infrastructure Security Agency to develop a plan to improve states and localities’ cyber defenses. It would also establish a State and Local Cybersecurity Resiliency Committee so states and local governments can advise the DHS on their needs.

Rep. Dutch Ruppersberger, D-Md., who is co-chair of the Municipal Finance Caucus, was among 14 cosponsors of the bill.

“Hackers are increasingly targeting state and local governments, as we painfully learned in Baltimore last year, where a ransomware attack cost the city more than $10 million,” Ruppersberger said in the release. “Even worse, some communities are actually paying the ransom – it’s a risk calculation that many at the state and local level do not have the expertise to make. This legislation will give state and local governments the resources they need to invest in cybersecurity and protect themselves and their citizens.”

Cybersecurity has become an increasing issue in the municipal securities market, with smaller local governments and agencies the most vulnerable and lacking in th e technological resources to protect themselves.

New Orleans was hit by a cyberattack two months ago causing the city’s mayor to declare a state of emergency. The Oklahoma Law Enforcement Retirement System shelled out $4.2 million to hackers late last year, though some of that was recovered.

Ruppersberger’s home state was attacked in May 2019 when hackers digitally seized about 10,000 Baltimore government computers and demanded about $100,000 in bitcoins to free them up.

Earlier this month, Pleasant Valley Hospital in West Virginia was hit with a ransomware attack. The virus entered the hospital’s system via emails sent 10 months before the hackers asked the hospital for money. The hospital was found partly responsible for the hospital’s breach of its covenant agreement, which may mark the first time a cyber attack triggered a formal covenant violation.

The hospital then had to spend about $1 million on new computer equipment and infrastructure improvements. That cost, with declining patient volume, caused the hospital’s debt service coverage to fall below what the loan agreement required.

Credit rating agencies have also taken note of the growing risk. They are looking at the quality of the computer systems personnel and whether a government entity has a plan to deal with cybersecurity. S&P Global Ratings downgraded Princeton Community Hospital in West Virginia a few months ago after a ransomware attack hit two years ago, weakening the hospital’s reserves which were already declining because of operating losses.

Moody’s Investors Service hasn’t downgraded any of its ratings because of cybersecurity risks yet, but said it could happen in the future.

The bill will be marked up in the Committee on Homeland Security on Wednesday.