Credit risks stemming from cyberattacks on US cities, school districts and other municipal bond issuers are likely to grow as the public sector remains an easy target for hackers, S&P Global Ratings said in a report on Wednesday.
The US public sector has broadly and quickly adopted new technologies to provide public services, such as online bill payment systems, but it has had a hard time guarding against increasingly frequent and sophisticated cyberattacks, the S&P report said.
“The very nature of public finance attracts criminals looking for an easy target,” it said. While S&P has never downgraded a municipal issuer because of a cyber incident, repeated successful attacks can eat away at credits over time by eroding public trust, the report said. That would potentially make it harder for municipal issuers to increase tax rates and take other measures needing public support.
The public sector struggles with retaining information security talent and keeping an aging workforce up to speed on emerging cyber risks, S&P said. The transparent nature of government, where information is more accessible compared private companies, makes public entities increasingly vulnerable.
Cybercriminals are also getting more organised and more professional, it said.On the so-called Dark Web, where illegal activity can be engaged in freely, purchasers of ransomware – software designed to block access to a computer system until a sum of money is paid – are offered money back guarantees, the report said.
Attacks launched on the public sector commonly involve extortion attempts. That was the case earlier this year in Atlanta, where hackers demanded roughly $50,000 in bitcoins after encrypting data across city departments. The attacks also include cases where someone hacks into a municipal website to push a political or social message in a so-called “hacktivist” action.
Sometimes hackers simply leach off of public networks, slowing them down for lengthy periods of time before being detected. Despite concerns about losing public confidence, municipal issuers should stop concealing cyberattacks, which they often do out of embarrassment, S&P said. Instead, it recommended sharing details of attacks broadly with the municipal bond market and law enforcement.
Public entities should also report the attacks through an event notice on the Municipal Securities Rulemaking Board website, EMMA, it said.
“Only with consistent and transparent disclosure can the evolving sophistication of cyber criminals be recognized and prudent mitigation measures taken and disseminated,” the report said.
