June 14, 2017 / 11:03 AM / 3 months ago

RPT-U.S. muni market slowly starts paying heed to cyber risks

 (Repeats for wider distribution)
    By Hilary Russ
    NEW YORK, June 14 (Reuters) - A rise in cyber attacks on
U.S. public sector targets so far has had little impact in the
$3.8 trillion municipal debt market, with no issuer as yet hit
by a downgrade or higher borrowing costs because of a cyber
security threat.
    That is beginning to change.       
    S&P Global has begun to quiz states, cities and towns about
their cyber defenses, and some credit analysts are starting to
factor cyber security when they look at bonds. Moody's Investors
Service is also trying to figure out how to best evaluate cyber
risk.
    The shift follows a particularly steep rise in ransomware
attacks, when criminals hold an entity's computer system hostage
until a small ransom is paid.
    The number of global ransomware detections rose 36 percent
in 2016 from the year before, to 463,841, with the United States
most heavily affected, according to cyber security firm Symantec
Corp.
    Such attacks, which have also hit companies and federal
entities, have spared no kind of municipal issuer large or
small, from police departments to school districts and transit
agencies. Ransomware attacks on state and local governments and
their agencies have risen in proportion with the overall
increase, according to cyber insurance provider Beazley Group.
    "State and local governments are a huge target, quite
frankly an easy target for bad guys," said Bob Anderson,
managing director for information security at Navigant
management consulting firm in Washington and a former global
cyber investigator at the Federal Bureau of Investigation. 
    Last month's "WannaCry" ransomware attack, which hobbled
global businesses and Britain's National Health Service, may
also be prompting renewed focus on cyber security, though it had
minimal impact in the United States.
    Considering a potential cyber attack as a similar risk to a
natural disaster, S&P has already been reviewing cyber security
defenses of utilities, hospitals and colleges because they were
early public sector targets for hackers.
    Now it is also beginning to ask cities and states about the
costs and level of security measures and the financial impact of
successful attacks, said Geoffrey Buswick, who manages S&P's
public sector ratings. 
    
    HEAD IN THE SAND
    The answers feed into broader categories that affect an
issuer's ratings, particularly governance, liquidity and
operations.
    Many breaches are handled quickly and financial damage is
limited, but not every attack will necessarily end that way,
Buswick said. "We're trying to get sense of who has their head
in the sand and who doesn't."
    Fitch Ratings said it does not consider cyber security in
its ratings, and many investors still are not concerned enough
to ask for details. 
    In part, that is because it can be difficult to assess the
operational and financial fallout of such attacks. Some high
profile breaches so far have also done limited damage to
issuers' finances.
    Case in point is the state of South Carolina, which in
August 2012 suffered possibly the worst cyber attack yet of any
city or state. 
    When hackers stole the personal data of more than 3.5
million taxpayers, the state had to investigate, provide credit
monitoring and consumer fraud protection, and implement a slew
of post-breach upgrades, according to State Senator Thomas
Alexander.
    The total cost is around $76 million and counting, he said.
That is enough to pay for several school programs combined. But
against South Carolina's annual general fund budget of roughly
$8 billion, the costs made no dent in its standing as a
borrower.
    Many issuers do not disclose any information to potential
investors in bond documents about cyber risks or defenses. But a
few, particularly hospitals and utilities, have started doing
so.
    In a February prospectus, the Maryland Health and Higher
Educational Facilities Authority, the state's largest public
debt issuer, included nearly a full page devoted to the growing
risk of cyber attacks.
    "Because we're such a large issuer, and because healthcare
is often treated much more like a corporate credit, the legal
counsels to the transaction weigh in on the bondholder risk
section," said Annette Anselmi, the authority's Executive
Director, noting that such disclosures also evolve depending on
what kinds of questions the market is asking.
    Hospitals are also ahead on cyber security disclosure
because they rely on huge amounts of data, said Court Street
Group analyst Joseph Krist.
    Eventually, he expects others to follow suit.
    "We went through this with getting munis to ... disclose
more pension information. Those were frankly long and painful
processes. It just has to get to a critical mass."

 (Reporting by Hilary Russ; Additional reporting by Jim Finkle
in Toronto; Editing by Daniel Bases and Tomasz Janowski)
  

Our Standards:The Thomson Reuters Trust Principles.
0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below