Market Intelligence

Cybersecurity is a key muni credit signal. Are issuers prepared?

Dale Scott
At the 2025 Bond Buyer California Public Finance conference, WireSafe founder and CEO Dale Scott told attendees that the company was conceptualized by, "moving information regarding wire closings between the underwriters and the recipients on a secure platform"
Jesse Sutton

As I think about my recently published muni credit scorecard, one of the key takeaways is that I listed "cyberthreats" as a clear and present risk to most sectors across the public finance ecosystem. Arguably, cyberattacks are not a theoretical concept, but rather a daily  threat to municipal bond issuers that has provided instances of successful and impactful execution.

Processing Content

The municipal securities industry has curated extensive guidance on primary and secondary market disclosure best practices. However, a review of the municipal market's principal trade associations and professional organizations suggests that, while many have issued cybersecurity guidance or educational materials, the market lacks a permanent, cross-disciplinary cybersecurity preparedness task force that combines issuers, legal counsel, municipal advisors, underwriters, investors and cybersecurity professionals. 

This piece is designed to equip bond attorneys and municipal advisors with a framework to develop best practices and advise issuers before, during, and after a cyberattack. In my view, it is critical for attorneys and advisors to keep executive-level issuer personnel current on all known schemes and methods employed by cyberattackers to breach issuer operations. Issuers should also understand their disclosure obligations surrounding cybersecurity preparedness and experience. 

An actual attack can be operationally and fiscally disruptive with very real credit consequences.  Many issuers adhere to recognized methodologies, such as those provided by the National Institute of Standards and Technology, the Center for Internet Security, and the Cybersecurity and Infrastructure Security Agency. 

However, not all issuers are sophisticated and employ the most state-of-the-art cyber-prevention infrastructure and protocols. In fact, I would argue most issuers are ill-prepared to both plan for and respond to cyberattacks, leaving themselves vulnerable to potential litigation, elevated borrowing costs and reduced capital market access. This is particularly relevant for conduit issuers. The fragmented nature of the municipal market, having many issuer types and non-uniform state and local statutes, laws and regulations, can be challenging for technological integration.  

Cyber security concerns are a growing part of the investment narrative and will only intensify across municipal governments and their enterprise units. The risks to municipal credits are rising, especially where cyberattacks are fueled by financial gains. Rating agencies have included cybersecurity attack and preparedness factors into their overall risk assessment. 

Cyberattacks represent a clear and present threat to all aspects of our way of life that could gravely disrupt the security of our nation's financial system, array of infrastructure assets — including our power grid, water supply, and transportation systems — health and higher education providers, communication and information technology networks, and food stock. 

Cyberthreats represent a long-term challenge to issuers and cyberattack preparedness should be top of mind in every conversation with issuer clients, and must be part of the overall credit discussion they have with the rating agencies. Investors should not be complacent regarding operational and disclosure standards surrounding cybersecurity. Accepting anything less exposes retail and institutional portfolios to valuation losses, liquidity erosion and even debt service disruption. 

In my opinion, cybersecurity planning must be ongoing, with recognition that a cyberattack can occur at any time. Issuers must be vigilant and stand at a high state of alert. If I were a municipal advisor, I would pose this question to an issuer: "In the event of a cyberattack are you prepared to maintain operations and meet debt service obligations?" 

Perhaps it would make sense to present this question with a request for qualitative feedback covering treasury and cash management operations, accounting, billing, tax and payroll systems, and debt management activities. Responses should be recorded and labeled with actionable items where appropriate. 

State and local governments and their enterprise units attract cyberattacks given the potential population reach and financial harm. A hospital system, for example, warehouses sensitive patient information that could be a target, or perhaps there is a desire to collapse billing, scheduling, diagnostic, supply chain or life-saving surgical activities. Specifically targeted cyberattacks could prevent the timely payment of debt service on different types of bonds.

Most issuers are responsible for confidential or classified data for taxpayer records and should have appropriate systems in place to guard against a potential cyberattack. A bond sale can be targeted, as active communication is shared among deal team participants and funds are often moved around throughout the process. A breach of confidentiality and corporate emails could expose the transaction to fraudulent wire instructions. Speaking of wire fraud, I applaud efforts made by WireSafe and others to develop a secure platform with proprietary verification protocols. 

There is often misalignment between recognition of cybersecurity preparedness and the available resources to fund associated expenses.I understand there is very little financial appetite to appoint a dedicated cybersecurity professional given budgetary realities, but there should be a designated executive able to absorb this responsibility. Perhaps this function can roll up to treasury or finance.  

This is not an area for negotiation. Global conflict continues to expand, resulting in heightened national security concerns. There is no doubt that our adversaries are constantly curating intelligence around U.S. infrastructure assets, ranging from our airports and roadways to our water supply and power grid. As the Iranian crisis unfolds, the risk of cyberattacks escalates. 

Cybersecurity funding must be viewed as an essential operating expense that should receive annual budgetary attention with both tax-supported obligors and enterprise systems prioritizing allocations. Many critical elements of cybersecurity preparedness may extend into an issuer's capital improvement plan, especially if they are part of a strategic overhaul of IT infrastructure. State and federal grants are also made available to exclusively fund cybersecurity programs. 

Oftentimes, these expenses can be financed through municipal bonds, with investment in airport communications, security upgrades and technological advancement as an example. Clearly, not every aspect of cybersecurity preparedness would be suitably financed in the capital markets. Issuers should receive guidance as to what types of expenses are eligible for bond financing, and, if necessary, funding can be obtained in the taxable muni market for those activities not qualified for tax-exemption.     

As part of internal due diligence best practices and the overall enterprise risk management process for issuers, there should be regularly scheduled cybersecurity briefings. These briefings should be used as a forum to identify areas of weakness and provide multiple solutions to appropriately address and eliminate these exposures. These meetings should also be used to update response protocols as needed. 

For airports specifically, we are concerned about a complex digital ecosystem, with specific implications for reservation systems, baggage handling, concessions, security and surveillance networks, Wi-Fi connectivity, and general aviation operations. 

Many modern airports employ network segmentation as a critical element of their cybersecurity defense infrastructure, designed to minimize the risk of an interconnected attack. The significance is to isolate key systems and controls in an effort to avoid a complete shutdown of airport operations. Redundancy protocols are also employed as a way to thwart targeted attacks and airports routinely coordinate cybersecurity protocols with airlines, the Transportation Security Administration, and the Federal Aviation Administration. 

In the event of an actual cyberattack, various stakeholders have a role to play, and their collective ability to respond timely and effectively will determine the outcome. Every response minute is critical to timely recovery and damage control. These participants include representatives from executive leadership, legal and municipal advisors, communications and public relations, risk management, and finance/treasury. 

I would suggest that issuers run periodic enterprise-wide cyberattack simulations that trigger an incident response plan and test the resiliency of operations and essential service delivery, protection of financial assets, and ability to meet legal and disclosure requirements. It is critically important to gauge the effectiveness of incident response and recovery procedures and to ensure that timely and relevant information and status updates are made available to all stakeholders, including investors, bond trustees, paying agents, municipal repositories, taxpayers, utility users and vendors. 

An incident response contact list would be beneficial for a coordinated effort. Many issuers rely on third-party vendors for multiple functions, such as billing and tax collection. Attorneys and advisors should urge their issuer clients to assess vendor cybersecurity policies and procedures, incident reporting requirements, and business continuity capacity.   

Simulations should present multiple scenarios that account for both known and unknown threats. During this time, containment of sensitive information is critical and any questionable wire requests must be fully vetted. Metrics can be built around detection, response time, compliance, adequate communications, and overall remedial success. Proper notifications must be disseminated to all deal team members should a scheduled bond issuance need to be canceled or postponed. 

Upon conclusion of the simulation, a post-mortem should be conducted to determine areas of strength and weakness. An assessment of existing policies and procedures would help to identify areas for improvement with a potential shift in budgetary priorities and resource allocation. The evaluation would also pinpoint specific areas of needed training, technological shortfalls (e.g., IT personnel, enhanced software), and cyber insurance deficiencies.  

Issuers should develop a remedial or business continuity plan — separate from a disaster recovery plan —  that incorporates all of these findings, with an established time table and identification of task-assigned personnel. For most issuers, annual simulations would be sufficient, but a more frequent cadence would be appropriate for higher-risk issuers. At the end of the day, preserving market access, continuity of debt service, and investor confidence are the three key tenets of public finance investment. 

As a municipal bond credit analyst, I believe that effective cyberattack preparedness is foundational to successful governance. I view cyber preparedness and responsiveness as a hallmark of issuers' fiduciary obligations to their bond investors.  

Sophisticated investors typically do not take on credit exposure without first conducting an assessment of the governance structure. Strong corporate leadership, accountability, and internal controls are as important as succession-planning transparency, and leadership, as opposed to IT specialists, must articulate a viable cybersecurity program that has the ability to evolve with more nuanced threat assessments. 

There have been various instances of cyberattacks targeting municipal governments, health care providers, and even a primary market distributor of offering documents and a host of online investor roadshows, with the intent to gain access to personal information by installing harmful ransomware. We have seen rating agency downgrades due to the financial impact, with cybersecurity risk becoming an even more important aspect of the credit assessment process. 

We have also witnessed non-ransomware attacks designed to disrupt strategic operations for certain enterprises. Enhanced cybersecurity responses and preventative measures along with a broader use of insurance do help to insulate financial and operational exposure for municipal issuers, but the growing expenses associated with insurance premiums and other preventative and remedial actions add budgetary pressure for a number of obligors. Discretionary resources are likely to grow tighter as revenue growth trails expectations and spending needs continue to be subject to competitive budgetary forces. 

Across the business sphere, many of us receive training in cyberrisk identification, avoidance and responsiveness. Training is particularly evident within the financial services sector where extremely sensitive information is held for safekeeping. AI-generated phishing campaigns target mass or individual email addresses and convey a sense of urgency as a way to unknowingly motivate improper action by the recipient. Cities, counties, school districts, hospitals, universities, airports and utilities are all exposed to such activities, with many other obligor types also at risk. 

Phishing techniques can severely compromise operational integrity and set an enterprise up for large cyberattacks through unauthorized access to financial systems and interception of confidential employee and vendor data. More sophisticated phishing schemes are often used to target senior leadership with tailored messaging. Looking at this through another lens, standard encryption practices for email delivery may not be sufficient. 

Specific phishing simulations are used for training purposes with a focus on proper identification of trusted sources, awareness and preparation and often demonstrate how the use of multifactor authentication and other technical safeguards can minimize email corruption and prevent an organization-wide cyberattack. Similarly, the inadvertent downloading of malware can give hackers unauthorized access to confidential computer files and systems through the installation of viruses, ransomware and spyware. 

While there is no central registry that tracks every municipal issuer cyberattack, there are sources that serve as proxies. The Cybersecurity and Infrastructure Security Agency collects incident information, but it does not curate a full database of municipal cyberattacks. The FBI gathers information on municipal cyberattacks, but much of the data is confidential. Issuer disclosures on specific cyberattacks are made available to EMMA, subject to a determination of materiality. Rating agencies offer an assessment of issuer cyberattacks to the extent they are impactful to financial operations.   

I would suggest that perhaps the results of cybersecurity simulations should be added to the list of enumerated material events required to be disclosed to EMMA. However, I wrestle with this concept because I respect and appreciate issuer/obligor concerns regarding public dissemination of exposed weaknesses that can be exploited by bad actors. I believe this will be a "hot topic" issue as the market looks for a reasonable intersection between investor transparency and preservation of issuer/obligor operational security.  

The municipal securities market maintains one of the finest networks of organizational support. However, the market lacks a dedicated cybersecurity task force represented by a combination of industry sponsors, including the National Association of Bond Lawyers, the National Association of Municipal Advisors, the National Federation of Municipal Analysts, the MSRB, the Government Finance Officers Association, and the National Association of State Budget Officers. 

The NFMA produced a white paper in 2020, entitled, Best Practices in Cybersecurity Risk Disclosure for State & Local Governments in Municipal Offerings. "The White Paper represents NFMA's recommendation for disclosure practices based on our experience as municipal credit analysts and market participants, but recommendations included herein are not intended to constitute legal standards or any form of minimum disclosure requirements."

In my view, this white paper represents an excellent narrative with common-sense recommendations for both primary and secondary market reporting purposes. It also provides a framework for cybersecurity event disclosure, expresses rating agency concerns over cybersecurity risks to issuers, and addresses SEC disclosure guidance and concerns over cybersecurity events. I recommend considering the NFMA's white paper within the context of SEC rules for corporate security cybersecurity disclosure. 

It includes an overview of cybersecurity risk mitigation strategies for issuers, cyber assessments, and cyberthreat education and reliance on external vendor cyberthreat mitigation plans and systems. The white paper is replete with recommended cybersecurity due diligence questions for state and local government primary offerings, and model cybersecurity reporting covenants for state and local governments.   

I believe it is time to take these best practices beyond recommendation by pursuing practical application. The municipal securities market will be better served by formation of an industry-wide task force charged with developing a standard set of cybersecurity best practices that can meet the operational, transparency, security and financial needs of the issuer community.


For reprint and licensing requests for this article, click here.
Market Intelligence Cyber Security Cyber attacks Credit Muni Advisor Attorneys
MORE FROM BOND BUYER
Load More