As if local government leaders don’t already have enough to worry about when it comes to cybersecurity and the ongoing ransomware threat, yet another incentive to enhance cyber defense measures has emerged. Municipal bond investors are now factoring in the prevalence of cyber attacks and a municipality’s preparedness into municipal bond ratings.
According to investors, cyber attacks pose a growing credit risk to cities, counties, and states. When a severe ransomware attack struck Baltimore, it hobbled the city’s ability to collect water bills, property taxes, parking revenue, and took down its system to process home sales. Baltimore’s general obligation bonds, like much local debt, is payable by property taxes, which makes up about half of the city’s revenue. Unable to collect a sizable portion of revenue, it had to find other sources to stay current with its obligations. Baltimore’s security breach will end up costing the city more than $18 million in un-budgeted technological upgrades and lost revenue.
Similarly, when New Orleans was recently hit by a ransomware attack, it was forced to utilize all of its $3 million cybersecurity insurance policy. Unfortunately, the cost to recover from the attack surpassed $10 million - the difference of which Mayor Cantrell said the city, “will have to eat.” This type of unplanned, un-budgeted major expenditure can have a significant impact on a city’s credit rating, and bond investors are taking note.
Cyberattacks threaten to erode public confidence in government and can suggest weak governance, said Alriona Costigan, a vice president at Breckinridge Capital Advisors. Furthermore, cyberattacks could have even more harmful effects on smaller state and local governments, which have less funding for cybersecurity and may see themselves as less of a target than big cities or states. Regardless of the size of an individual government, their data sets represent a unique attraction for cyber criminals, and therefore requires an equally comprehensive approach to ensure the protection of critical digital state, county, and municipal systems.
“If the condition of a town’s roads, bridges, and public works can impact its credit rating, it stands to reason that the worthiness of its IT and cybersecurity maturity would too”, said GovPilot’s Chief Security Officer, Jason LeDuc. “Just as cities invest to maintain infrastructure that its citizens can see, they must also invest to maintain the infrastructure that they can’t, because a failure of IT infrastructure can be catastrophic.”
Last June Mayor Cantrell argued to the New Orleans city council that cybersecurity funding deserved to be included in the city’s budget for critical infrastructure. Some members were hesitant, complaining that protecting IT assets was not an infrastructure component.
“Like hell it isn’t.” Cantrell responded.
In December, New Orleans was hit by the notorious Ryuk ransomware, knocking several of the city’s critical departments and revenue generating functions offline for weeks. Several departments will need large portions of their IT inventories replaced.
Across the country, municipal investors are taking into account cybersecurity and adjusting accordingly. Municipalities must do the same, not only to maintain or improve their credit rating, but to safeguard their citizens’ data and the services they rely on.
If you are interested in enhancing your local government’s cybersecurity posture - no matter the size of your municipality - GovPilot can help. Learn more, and sign up for an initial 15-minute consultation.