MuniOS hack underscores importance of cybersecurity
4 min read
ImageMaster’s electronic platform MuniOS, which provides municipal bond offering documents and online investment roadshows for thousands of municipal bond deals, remained down Wednesday after a ransomware attack, highlighting the need for the muni market to reexamine its infrastructure and invest in cybersecurity.
While details of the hack are limited, the incident has been confirmed by multiple sources, including one that got confirmation from ImageMaster.
With this cyberattack, the primary concern is the disruption it may cause to the dissemination of official statements and pricing, as well as the exposure of details on private placements, said Omid Rahmani, public finance cybersecurity lead at Fitch Ratings.
“There’s the direct risk to MuniOS, but then there’s a secondary risk if (the threat actors) have data exfiltration, which is now pretty standard in ransomware cases,” he said. “If they have a pretty good idea of when deals are going to be pricing… they can go for a traditional, garden variety business email compromise,” send an invoice and divert a payment.
The threat actors have to get the timing exactly right, he said, but armed with the right details, they could possibly divert bond funds, including on deals that are not currently public — thereby catching deal participants unaware. It could lead to more outbreaks of
“Going after MuniOS makes sense, just looking at it from the other side,” Rahmani said. “If I wanted to target municipal finance, this would be a really good place for me to start.”
Absent confirmation from the company itself, Rahmani said, he could only speak hypothetically, but it’s clearly “not a maintenance thing” if MuniOS has been down for several days.
Email and LinkedIn messages to representatives of Ann Arbor-based ImageMaster, LLC, which runs MuniOS, were not answered by press time.
The phone number for ImageMaster, LLC, was also down as of Tuesday and Wednesday.
“Because we don’t know, people should be very vigilant – about who you’re talking to, what you’re telling them, and what instructions you’re following,” Rahmani said, advising market participants to be particularly on guard against communications that have an element of urgency to them.
This event is a reminder that the muni market’s digital backbone is complex and fragmented, said Matthew Gerstenfeld, founder of Munichain and a member of the Municipal Securities Rulemaking Board Technology Advisory Group.
Without modern infrastructure and immutable recordkeeping, he noted, breaches can affect multiple firms.
When infrastructure is compromised, trust and continuity are challenged, Gerstenfeld said.
The muni market, he noted, benefits from systems that preserve both reliability, noting Munichain’s platform is “built around governed collaboration,” which he said provides validated benefits to municipal advisors, underwriters and issuers to foster a more resilient market.
The attack shows the continued need for the public sector to “level up” their awareness and their partnership with firms, like Baker Tilly, that can help them evaluate what they have going on and their vulnerabilities, said Jennifer Fredericks, sales director at Baker Tilly.
While that won’t necessarily stop an attack, it will ensure governments have a proper plan in place to know what to do if and when it happens, she said.
Following the attack, other platforms have reminded users of alternative options for accessing bond offerings.
The Municipal Securities Rulemaking Board posted a
Dan Silva, founder and CEO of Adaje,
The MuniOS attack raises the specter of disruptions in deal timing, though there have been no reported delays for deals pricing this week.
One of the largest deals, New York City’s $1.88 billion of general obligation bonds, proceeded Wednesday as planned. The city published a preliminary offering disclosure
“The city is going to market with its transaction today,” said Andrew Rothbaum, director of investor relations for New York City’s Mayor’s Office of Management and Budget.
Illinois Finance Authority Managing Director Brad Fletcher said IFA was not affected directly by the attack.
“RBC was able to successfully utilize MuniOS on Friday for the posting of the final OS for the Illinois Finance Authority Revenue Bonds, Series 2025 (Music and Dance Theater Chicago), and that transaction successfully closed yesterday in the market,” he said in an email Wednesday.
Wisconsin Capital Finance Director Aaron Heintz said the state of Wisconsin uses BondLink rather than MuniOS, while the Bay Area Toll Authority uses DACBond as its dissemination agent and makes official statements available on BondLink, according to BATA CFO Derek Hansel. Therefore, both issuers are unaffected.
MuniOS represents a bottleneck in public finance industry data, and bottlenecks are always a challenge from a cybersecurity standpoint. Rahmani said that’s where he sees market risk coming in, and maybe even regulatory risk.
“Because things are not getting done when they’re supposed to get done, somebody will probably take a look at that at some point,” he said.
In the meantime, the market should be aware of the heightened danger. Rahmani said he hopes all parties involved will work together to share information with the broader industry.
“Vigilance and validation – that should be the mantra,” he said. “The way the dark AIs have advanced in the last year has really democratized social engineering… Right now whoever’s hypothetically in there has access to the timing of everything everyone is issuing. And that timing is the golden key.”
Kathie O’Donnell contributed to this story.
