A colleague recently received a personal e-mail from a foreign prince offering massive “compeiennsation” for assistance liberating funds held by the United Nations—the prince just needed a $10,000 advance, via Western Union, to get some initial paperwork sorted out. Perhaps you received the same email. Unfortunately, most attempts at internet-based crime aren’t quite as easy to spot.
In the public finance context, a fraudster posing as a contractor on a public infrastructure project might email a project manager with a fake invoice requesting that payments be wired to a new account. Within minutes, bond proceeds paid to the “contractor” may end in the same hands as the funds wired to help the poor foreign prince mentioned above. Public entities are especially susceptible to email scams because open records and open meetings laws and transparent operations make it easy for criminals to conduct reconnaissance on employees and transactions. This allows the criminals to craft personalized and convincing fake messages that do not contain obvious indicators of a fraud.
Although they receive the most media attention, nation states, political parties, and large retailers are not the only entities being targeted by hackers. As those entities build stronger defenses, hackers have increasingly pursued lower profile and less protected yet still lucrative targets like state and local governments and other public entities. Indeed, some hospitals, school districts, and local governments have already been victims of cyber-attacks. For example, in a recent Department of the Treasury announcement, it identified that “[s]ince at least March 2016, Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
Despite this risk, public entities can be unaware and unprepared to identify and protect themselves from a variety of cyber-related threats. There are a number of preliminary steps they can take to reduce risk and to be prepared.
- Business email compromise schemes. One of the most pervasive threats usually does not involve hacking in the traditional sense. Rather, criminals can devise simple tools to send emails that appear to come from an internal senior executive or accounting employee that direct another employee to initiate a bank transfer to an account controlled by the criminal. Well-meaning employees trying to satisfy an urgent request frequently fall victim to this scam, which is low-cost and low-risk for the criminal. Further, the risk is particularly acute where criminals have access to information that allows them to tailor convincing spoofed emails (e.g., internal emails released under open records laws). The FBI has identified business email compromise schemes as a top tread in cybercrime and has published a useful, plain language overview of the issue.
- Ransomware. Criminals and nation state actors are also using malicious code that locks users out of their systems or data in an attempt to extract ransom payments. User systems can be infected by visiting a compromised website or by opening a malicious email attachment. Once introduced to a network, this code—termed “malware”—can quickly spread to other devices. For example, in 2016, an employee of a Florida police department opened a malicious email attachment that spread, encrypted 160,000 city files, and triggered a demand for up to $33 million in bitcoin to unlock them. Some victims quietly pay the ransom rather than risk serious disruption to their business or reputational harm. The FBI advises against doing so. Ransom payments also are rarely an option for a public entity.
- Data breaches One of the most familiar cybersecurity incidents—the theft of large amounts of sensitive personal or financial data—is a real risk for public entities. For example, the FBI recently had the contact information of 20,000 of its employees leaked online. The amount of data stolen does not have to be large to have a significant impact; criminals have stolen login credentials to financial wire systems and have been able to initiate unauthorized transfers of tens of millions of dollars. The personal and financial data held by public entities—both large aggregations of data and more discrete pieces of critical financial information—will be attractive to criminals, especially when left vulnerable on older devices or systems.
- Physical effects. Any organization that is related to or supports critical infrastructure can also be subjected to threats beyond financial crimes. Actors who seek disruption of services or destruction of infrastructure may target these entities to gain a foothold in a network that controls systems in the physical world. For example, the federal government recently indicted Iranian hackers for illegally accessing the control system of a dam in Rye, New York. Though no physical damage occurred from that incident, the potential for damage from similar intrusions is clear.
- Credit risk. An S&P Global Ratings analyst has said that a cybersecurity incident could affect a public entity’s credit rating. This not only due to the cost of an incident, but also the accompanying loss in taxpayer trust could hinder a public entity’s ability to raise taxes. While we are not aware of any such downgrade that has happened yet, it is a risk that public entities should be aware of.
- Litigation and regulatory risk. The Securities and Exchange Commission recently expanded its warnings to companies that generic disclosures identifying cybersecurity risk factors may be insufficient. Public entities that are not subject to the same U.S. Securities and Exchange Commission (SEC) rules that apply to public companies should be mindful of their cybersecurity risk disclosures.
Mitigating the risks
Defending against these risks is not simple or easy, but there are some operational tips that can be the foundation of a robust and specifically tailored cyber risk management program.
- Employee training. “Human error is a major factor in breaches, and trusted but unwitting insiders are to blame.” Familiarizing employees with the threat their organization faces, and how to respond if an incident does occur, is probably the most important thing an organization can do. Catastrophic incidents can be, and sometimes are, avoided by employees who were trained to recognize a potential threat and know how to respond.
- Anti-Spoofing. The FBI has said the best way to avoid being exploited by a business email compromise scheme “is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.” That’s good advice, but not always practical in every organization. Fortunately there are many technical options, including some built into standard Microsoft office products, that provide conspicuous warnings to email users when a message may not be coming from who it claims to be from. Enabling such warnings is a low-cost and often effective way to alert employees to spoofed emails.
- Quick action. Victims of fraudulent wire transfers generally have 48 hours to notify law enforcement to have a chance to get their money back, or at least freeze the money in place. As with many aspects of cybersecurity, quickly identifying an incident and having a plan—or at the very least knowing who to call—can go a long way to mitigate negative impact.
- Basic device hygiene. Broadly, simple steps like enabling firewalls, using antivirus software, and keeping operating systems up-to-date reduce your risk. While these steps alone will not stop a determined actor, they can cause someone looking for a target of opportunity to move on to a different victim and limit the spread of indiscriminate malware.
- Reflect and disclose. Recent SEC guidance to publicly traded companies seems to indicate that the SEC expects companies to conduct careful inward assessments that identify unique strengths and weaknesses, and that disclosures should be tailored to that assessment. Even for public entities not bound by that guidance, internal assessments and tailored cybersecurity risk disclosures may be prudent.
- Insurance. Cybersecurity insurance helps organizations manage their risk, but careful note should be taken of policy exclusions. The creativity of cyber criminals makes it very difficult for an insurance policy to fully and explicitly define the bounds of policy coverage. Increasingly, insurers are requiring exclusions for some known risks. One example is losses arising from a stolen or misplaced portable electronic device—a potentially high-impact incident but one that can generally be mitigated by developing and enforcing portable device encryption policies.
Cybersecurity is a complex issue that necessarily requires careful and specific inward assessment. Further, cybersecurity is not merely an IT issue, it’s an enterprise-wide risk management issue. Senior leadership involvement and education is critical because engaged and informed leadership is one of the best defenses to skeptical government investigations and to civil lawsuits. Public entities should also consider maintaining a cyber-incident “playbook” that contains, among other things, a notification checklist of security, law enforcement, insurance, and legal contacts who should quickly be informed of a potential incident.