ImageMaster's electronic platform MuniOS is back online Thursday after a cyberattack caused the site to be down for several days.
The attack was not a data breach, said Albert Rodriguez, a manager at ImageMaster. Through an exploitable vulnerability in the firewall units, bad actors "successfully executed an attack on our server computer infrastructure, essentially encrypting all the drives," he said.
The attack ultimately caused all servers to fail, forcing the firm to rebuild its servers to get back into operation, he said, stressing that the bad actors did not get any data.
"I will be sending out an email next week to all 40k users of MuniOS explaining the issue," Rodriguez said by email.
The incident left market participants
When MuniOS was down, issuers with active deals had to determine where to turn and whether there were alternative resources where they could publish their offering documents and investor presentations online, said Anna Horevay, a lawyer and public finance partner at McGuireWoods.
Many use MuniOS to view offering materials and related investor presentation videos, while some use the site as a document repository, as "they have that capacity outside of just posting offering documents," she noted.
The site being down led market participants to use other printers, such as McElwee & Quinn, while TM3 linked to preliminary offering statements on platforms like BondLink and EMMA.
BondLink, for one, saw increased activity this week, even into Thursday, said CEO Colin MacNaught, with over $15 billion in supply on its calendar, possibly the most the site has ever had.
New issuers even reached out, saying they planned to use MuniOS, but with the site down, they asked for help, he said.
For issuers "stuck" between a POS and OS, BondLink offered its service for free, and many took the firm up, MacNaught said.
"We felt like we ought to provide that service to the market. We do not want to see an issuer get hung up. So we were really pleased to be in that position to help out," he said.
The platform's absence complicated regulatory compliance for some sellside firms.
Janney, for example, priced a deal last week and had to post the final statement, said Vivian Altman, the firm's head of public finance.
"We are creatures of habit. We got used to what we were used to. And so we were like, 'What do we do?' We can post directly on EMMA, or there are other printers, which were the next fallback, but it was disruptive," she said.
However, MuniOS came back online within the firm's window, allowing Janney to post the document on schedule to its preferred site, Altman noted.
If the site had stayed down for longer, market participants may have faced regulatory challenges.
Issuers could have dealt with 10-day reporting requirements and statutory deadlines for filing enumerated events in SEC Rule 15c2-12, which ensures issuers file certain information to the Municipal Securities Rulemaking Board about the securities on an ongoing basis, said Emily Brock, director of the federal liaison center at the Government Finance Officers Association.
The MSRB, for its part, did notify market participants that they could file information
Outside of potential regulatory issues — which did not materialize — what's problematic about the MuniOS attack is that the site has a tremendous amount of market information, Brock said.
"That's pretty scary. It's not targeting one individual issuer; it's targeting the whole lot. And with the availability of scanning and AI instruction, it's something that should inspire issuers, along with their bond counsel and any broker-dealers that they work with, to ensure the security of that information because it's become abundantly clear that no one's immune," she said.
"It can happen to anybody, so you have to be vigilant and have your safeguards in place. It could have just easily been like a law firm's data repository for a deal room, as it could have been in any [online offering statement platform]," said T.W. Bruno, a partner and transaction lawyer at McGuireWoods.
Therefore, market participants need to be more vigilant in their efforts to combat cyberattacks.
"If it happened to [MuniOS], it can happen to anybody. So you have to stay on your Ps and Qs when it comes to cyber security," Horevay said.
