St. Paul, Minnesota, is recovering from a cyber attack that disrupted a number of the city's internal systems — some of which have yet to be restored — ahead of the Aug. 19 closing for its latest bond deal.
It's unclear if the closing will be affected, but so far there's been no disclosure of any direct impact on the transaction.
"There's something a little bit different that's going on in St. Paul than your regular garden-variety ransomware attack that we've been dealing with on a regular basis in the public finance community," Omid Rahmani, public finance cybersecurity lead at Fitch Ratings, told The Bond Buyer.
"There is almost no information as to the nature of the incident. And again, in my experience, that usually means that something different is going on," Rahmani said.
Gov. Tim Walz's office said the "magnitude and complexity" of the attack overwhelmed the city's defenses.
The city self-insures its cybersecurity liability, according to disclosures posted in the
The Series 2025C sewer revenue bonds priced July 23, two days before the hackers struck. S&P Global Ratings rated the bonds AA-plus with a stable outlook.
In the wake of the attack, St. Paul Mayor Melvin Carter declared a state of emergency, which was extended over the weekend.
"While this security incident disrupted some of our internal systems, our top priority remains ensuring our emergency response continues without interruption," he said
According to the
"We are committed to working alongside the city of Saint Paul to restore cybersecurity as quickly as possible," Walz said in a statement. "The Minnesota National Guard's cyber forces will collaborate with city, state, and federal officials to resolve the situation and mitigate lasting impacts."
Rahmani noted the St. Paul incident marks the first time the National Guard has been called in to deal with a municipal cyber attack, and he pointed to the statement by Walz.
"That is an atypical statement for the governor of a state to make in relation to a cyber incident that we've experienced in the municipal sector. That is the first thing that piqued my curiosity," he said.
The U.S. has been "in a state of elevated vigilance in relation to cyber risk" in recent months, he noted. All security agencies issued what were essentially "shields up" warnings. And while it's unclear whether the St. Paul incident is the type of attack they were warning against, the magnitude of the response has been unusual, raising the question of whether the nature of the attack is also atypical.
"Over the weekend, the city actually extended its state of emergency in relation to the cyber incident to 90 days," Rahmani said. "That's a generous amount of time in terms of a state of emergency."
He added, "The city prior to the attack seemed to have fairly — by muni standards — good cybersecurity and security protocols. From a governance perspective, they seem to have a decent governance structure in regards to their cybersecurity framework.
"It's very interesting that we had essentially all of the stops pulled, all in one go, all on the front end," he said.
Jennifer Lor, press secretary for the mayor, did not respond to emailed questions by press time, and did not grant requests to interview Interim Director of the Office of Financial Services Laura Logsdon or Office of Technology and Communications Director Jaime Wascalus.
Fitch released a report last month on public finance cyber risk, saying it has been heightened by geopolitical conflict, including between Israel and Iran.
"Iranian-state affiliated actors and hacktivist groups are targeting U.S. critical infrastructure, and the frequency of cyber intrusions is likely to rise, as highlighted by joint advisories from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, Department of Defense Cyber Crime Center, and National Security Agency," Fitch warned.
"Following a cyber incident, we assess an issuer's ability to maintain operational continuity, the duration and scale of service delivery interruptions, impairments to cash flows, and reputational damage," the rating agency added.
Fitch noted that proactive risk management, including cyber insurance, is critical to mitigate threats and maintain credit quality.
While historically, cyber incidents have not tended to lead to rating action, "severe breaches that pressure credit metrics or clear deficiencies in cyber risk management can lead to negative rating actions," Fitch said.
The rating agency also pointed to a one-third reduction in CISA's headcount this year — which could impact state and local government resilience by reducing coordination, defense and response. And resource constraints are a persistent challenge for the public sector, which has shown increasing vulnerability to cyber attacks.
Rahmani noted CISA and the FBI's cybercrime unit are assisting in the St. Paul case.
"There's a great deal of state, federal and local resources tied up with St. Paul," he said. "We're in an interesting time right now, when we have an elevated threat landscape and also we're having incidents that are a little bit different than the garden-variety incident."
And the threat landscape, Rahmani added, is only expanding, with vectors of attacks growing.
Trends like data exfiltration and manipulation of data are on the rise, he said.
While the majority of cyber attacks have a financial motive, there is the occasional attack with a purely destructive motive, and those, while less common, can be far more damaging.
Rahmani compared this attack to
The extent of the damage in St. Paul remains unclear. "What we do know is the nature of the response," he said. "I look at changes when it comes to how situations are handled, and this is a change."
Thus far, St. Paul's only disclosure on the Municipal Securities Rulemaking Board's EMMA website is a brief paragraph added to the official statement that shares little beyond what has already been made public in press releases.
"They probably have discussions with their attorneys, as well … so I'm sure that if there was an impact, the market would be notified one way or another, but as of right now, we just don't know," Rahmani said.
St. Paul's GO bonds are rated AAA by Fitch and S&P. Its water revenue bonds are rated AAA and its sales tax revenue bonds are rated AA-minus by S&P. The outlook is stable.
Fitch rated the city's
