Programmers work on computers

From major airports, to the US power grid, to cities, towns and counties across the country, cybersecurity related issues are unfortunately frequent headlines, particularly in recent years. Cybersecurity issues have become real and ongoing threats to both the operations as well as the financial health of governmental entities. Like any risk, cybersecurity issues also have impact on issuers of municipal bonds.

As a part of any rating process, issuers are asked to address myriad questions that relate to their financial stability, reserves and any hidden risks or liabilities. Traditionally, when evaluating risks, rating agencies have focused on considerations such as the possibility that looming litigation, deferred maintenance of assets, pension liabilities and environmental risks. With recent attacks on the IT systems of local government, rating agencies now ask questions pertaining to the security measures that a local government has in place in its evaluation of both direct and indirect risks. The direct risk is the impact on the unit of local government’s finances should an issuer decide to pay a ransom in order to regain control of its own information and systems. The indirect risk is the loss of staff time, recovery of data and potential litigation from data breaches, which may be equally costly to the local government.

Cybersecurity issues are also a concern around the transfer of bond proceeds at the time of closing. Issuers of municipal debt have very public borrowings, often multi-million dollars are transferred in conjunction with these closings. For transparency purposes, many of these transactions are publicly disclosed in offering documents, and these offering documents may even disclose how the issuer addresses cybersecurity, including whether the issuer has cybersecurity insurance to limit its financial exposure. Issuers must be very aware of security considerations around issuing its bonds to ensure that the funds are not misdirected or intercepted. In recent years, hackers have intercepted and changed wiring instructions as well as impersonated leaders of companies to instruct financial officers to make fraudulent fund transfers. Fraudulent activity may occur during the bond closing, but also may occur in conjunction with other debt-related wire transfers of the issuer during the life of the bonds.

Baker Tilly Municipal Advisors has implemented additional security measures around the release of wiring instructions for bond sales. The firm will continue to evaluate its processes to assist with protection of client data as a part of the fiduciary duty that a municipal advisor has to its clients. We also work in conjunction with financing teams to discuss appropriate cybersecurity disclosures in connection with financings.

Whether you are just developing your plan or would like a second opinion about the plan that you have developed, Baker Tilly can assist, contact us for more information.

Susan Borries Reed
Managing Director
Bridge on a sunny day
Next up

Business continuity planning checklist