Possible Drivers to Action
One possible driver to action could simply be alerting the public through their local media outlets just what havoc can be, and has been, wrought by cyberattacks. For example, at the National Health Service in the U.K. and the power company Prykarpattyaoblenergo in Ukraine. While the latter appears to have been a targeted attack, the former was simply about money. While both were malicious and extremely damaging, they could also be viewed simply as warning shots and indicative of what further might happen.
Another driver could lie with municipalities’ furthering their own commitments to high-quality and reliable public services. Terry Smith, CEO and founder of Smith’s Cyber Security Gradings, believes that with the tradition of first-class service to uphold, public sector (both state and local) cybersecurity professionals are willing to meet the challenge, but the critical physical infrastructure is weak.
I believe two other potentially effective approaches (if they were adopted) lie with the muni bond market itself. First, lenders should insist that bond issuers meet certain minimum standards of cybersecurity. These could be based on guidelines and standards set out by NIST and/or US-CERT. And their adherence to these standards will be monitored on a continuing basis.
A commitment to and the subsequent maintenance of, these standards would be incorporated in municipal bond offering documents; that is, a clause covering cybersecurity would become standard. Its absence would likely result in a yield penalty to the issuer similar to what occurs with bond insurance.
In the second instance, a commitment to and the recognition of standards by, credit rating agencies would have a direct bearing on an issuer’s ability to obtain a stronger rating for the bond: the tradability of the bond would likely improve as a result. Cybersecurity gradings do already exist in the private sector, but not yet in the muni space.
Once they’ve determined this key information, municipalities can look at encrypting data. An important step that has worked for companies and could also work for municipalities is data encryption. Encrypted data can only be read by the person who knows the encryption key.
As the graph above shows, cyber attacks have hit businesses the most, followed by governments, from 2015 to 2016.