After the latest cyberattack on a K-12 school system — in this case, Evanston Township High School, in Chicago's north suburbs — rating agencies and muni market participants warned of an evolving risk to school district issuers.
In Evanston, a ransomware attack shuttered the high school for two days and took its phone and computer systems offline. ETHS phones were still down on Friday, nearly a week after district officials discovered the attack on Sunday.
As of June 30, 2025, the district had $27.5 million of general obligation bonds, qualified zone academy bonds and debt certificates outstanding, plus $31 million of other long-term debt, according to its FY2025
The cybersecurity disclosure in the
In response to questions, ETHS Director of Communications Reine Hanna pointed to a statement on
The statement said the Federal Bureau of Investigation is investigating the incident.
"The district is focused on responding to and recovering from the cybersecurity incident," Hanna said by email. "Because the matter remains under active investigation, we are not in a position to provide additional comment beyond the information that has already been publicly shared by the district."
There's scant information available about the Evanston attack, "because the FBI cyber response task force is involved, and in those cases, there's literally no information that gets out," said Omid Rahmani, associate director and public finance cyber risk lead at Fitch Ratings.
While cybersecurity disclosure can be tricky — issuers don't want to offer details of defenses that could be exploited by hackers — there is investor interest in better disclosure on the governance side, Rahmani said. That means having an incident response plan; having a communication plan; making sure that if there are state laws, they are adhered to; and at least annual certification of employees.
But the overarching story here "is that school districts are getting targeted more and the U.S. is leading that by a wide margin across the world," Rahmani said.
"The real story is the budgetary pressure," he said. "School districts are increasingly under pressure for all of their needs, not just cyber security. But because cyber security has historically not been a top priority for districts in times of crunch, it just gets squeezed even more, and the thing is, the threat actors know this."
With property tax reforms sweeping the country — including, recently,
And the data that school districts hold has recently skyrocketed in value on the dark web, where "the criminals have discovered that very few parents actually do credit monitoring for their minor children," Rahmani said. So threat actors are starting to gravitate toward K-12 issuers, whereas in the past, healthcare data had been the most lucrative, Rahmani said.
"School districts are really low-hanging fruit" from threat actors' perspective, he said. "Over half of districts don't have a specific cyber security lead professional" and many don't have that professional reporting directly to top leadership, a key marker of good governance.
"Insurance can be part of a good cyber strategy, but there are also other elements ... like the importance of overall cyber hygiene," said Tom Kozlik, head of public policy and municipal strategy at Hilltop Securities.
He pointed to Hilltop's recent public finance leaders survey data, which showed that from
"I don't think that the importance of cyber has decreased," Kozlik said. "I think there's so many other things public entities, especially K-12 school districts, are dealing with right now."
But investors are paying attention. And even as cybersecurity has fallen among public sector leaders' top concerns, it has climbed in Hilltop surveys of municipal analysts between
"This is something that investors consider," Kozlik said. "As AI, and especially as quantum computing gets a little more into the picture, I think folks will be paying even more attention to it."
In addition to ransomware attacks, school districts and local governments are increasingly seeing funds hijacked, as in the
In November, hackers intercepted $4.8 million from the borough of Spotswood, New Jersey, that was intended for the local school district. Some of the money was later recovered.
But with the school district losing $3.4 million, nearly 10% of its 2023-24 operating budget, in the attack, the borough council authorized a refunding bond measure to repay the district, and the borough plans to issue more bonds by next year to make up the full $3.4 million,
The Spotswood example shows how precedents are in flux, Rahmani said. "I'm not aware of any other situation where an entity has had to issue debt and pass that cost to the taxpayer after essentially losing money in a social engineering cyber or any other kind of cyber attack."
A bond rating downgrade could result from the loss of funds in a cyberattack, as well as from the decision to borrow for operating expenses, which would further increase costs to taxpayers.
"We don't rate that particular entity, but in a hypothetical scenario where an entity loses nearly 10% of their budget, yeah, that would require a credit discussion," Rahmani said.
The Spotswood Public Schools board of education did not respond to emails seeking comment.
"The rapid acceleration of AI is increasing the uncertainty where cyber is concerned," Kozlik warned. The technology "is not even changing in a matter of months, it's changing a matter of sometimes weeks and days with these new models."
The idea that "we don't necessarily have to dedicate resources to security, because if something bad happens, we can just push it (onto taxpayers)," is a troubling precedent to set, from both a credit and a governance perspective, Rahmani said.
"When it comes to cybersecurity, prevention is a lot cheaper," he said.
