Michigan township hack spells bigger cybersecurity troubles for munis
8 min read
A
White Lake Charter Township, Michigan, had its entire bond sale proceeds stolen through an email infiltration, according to sources, who also say it was not the first instance of hackers stealing bond proceeds or attempting to do so.
The township had sold $29 million of limited tax general obligation bonds in the competitive market to Baird on Oct. 31. On the Nov. 21 closing date, the township learned it “has been the victim of a sophisticated cybersecurity attack, which compromised a financial transaction related to a new issue of infrastructure bonds,”
The Michigan township hack is rarer than the much more common
This hack is the only hack of a public securities financing deal for which public information is available, as far as Rahmani is aware, he said.
“I know of attempts, of other ones, but those are kept under wraps,” Rahmani told The Bond Buyer. “It’s a novel thing… This is a new vector of attack for the public sector.”
“We don’t have any kind of mandatory reporting laws in the United States when it comes to an issue like this for munis,” Rahmani said. “There are many, many more [examples] that go unreported.”
But as these attacks grow and evolve, and if there are more successful hacks on public sector financings, they will be tougher to keep under wraps, he noted.
Rahmani said there’s another challenge when the financing process gets hacked: The amount of proceeds is usually “much larger on a percentage level to the revenue and balance sheet of the organization … than the typical business email compromise. Like, orders of magnitude larger. So I can see that being a challenge, especially in terms of getting insurance companies to cover the loss.”
It’s hard enough convincing local governments to spend money on cyber insurance that covers ransomware attacks. The new and very specific threat of a hacked financing process, Rahmani said, is “absolutely” underappreciated by the public finance industry.
Cyberattacks on municipalities are very common as “they are automatically exposing themselves in ways that most private organizations won’t … and hackers have an easier job of finding likely targets inside the public sector than gathering information from a private company,” said Jack Danahy, vice president of Strategy and Innovation at NuHarbor Security, a national cybersecurity services firm.
Regardless of whether an issuer has cybersecurity insurance, “cybersecurity recovery costs, especially in terms of a catastrophic attack which shuts things down and turns things off, can be a pretty large unfunded expense,” Danahy said.
That calls into question the stability of the municipality before the bond issuance and forces the issuers to examine how the attack happened and how to prevent future hacks, he said.
This usually leads to a “meaningful increase” in technology spend associated with cybersecurity, which tends to reduce the damage positively, Danahy said.
What needs to change are public sector philosophies around cyber risk management, Rahmani said. Public sector organizations need to understand their organization’s vulnerabilities and adopt a “vertical culture of cyber hygiene.”
And that’s a challenge because researchers like Rahmani have found that there’s a bell curve to organizational cyber vigilance. Practices tend to be most lax at the most junior and senior levels in organizations. And it only takes an error by one person to let a threat actor in.
“We can spell cybersecurity, but it’s tough to get our hands around all the details of cybersecurity,” said David Erdman, managing director at Baker Tilly and former capital finance director for Wisconsin.
In response to cyber attacks, all finance transaction participants — the issuer, bond counsel and municipal advisory communities — “should work together to develop some standards … so we don’t have different professional service providers or different regions or organizations going in different directions,” he said.
Despite the lack of specific disclosure requirements for issuers, “it’s incumbent upon an issuer to consider full disclosure on what happened,” Erdman said. “There is going to be a tail to that incident, and you’d hate for that to come back later and impact an investor’s decision.”
Danahy agreed the onus to report the attack falls to the issuer, which will be “closest to the ground in terms of understanding the materiality of the breach — how many folks affected, what part of the infrastructure was touched, was there anything particularly unusual about the way the breach transpired.”
For Erdman, cybersecurity was one of his biggest challenges as an issuer, noting, “There was always that concern about saying too much. Was I going to provide information in my official statement providing a roadmap for someone with ill thoughts?”
Compounding the issue is the lack of expertise from municipalities around cybersecurity as the private sector recruits talented employees with better compensation, Danahy noted.
“There’s a struggle amongst organizations and public sector to maintain a staff that’s comfortable and competent and has all historical knowledge to be great protectors,” he said.
And it’s even harder to parse which issuers have cyber insurance because some worry that if they have cyber security insurance, they will be targeted for that amount, Erdman said.
“If I say I have a policy for X dollars, then that may be an incentive for someone to come after me for ransomware for X dollars,” he said.
Rahmani said cyber insurance remains a highly tailored product, and insurance companies have significantly tightened their requirements recently both for the provision of insurance and for the terms on which that insurance would come into play.
According to a
“It’s going to depend on the point of origination” and whether the responsible party has cyber insurance, Rahmani said of coverage in situations like the Michigan example. “Now, usually, of all those organizations [involved in bond deals], the issuer may have the most room for improvement when it comes to cybersecurity, just because cybersecurity practices are not as robust in the public sector … and the financial services parties do have certain regulations that they have to very stringently abide by.”
Financing hacks might be covered under some policies as a business email compromise, but on the other hand, “this is a mechanically different type of a transaction,” he said. “I am not aware of any widespread use of policies in relation to this particular fairly boutique problem.”
“In most cases, hijacking of funds and business email compromise — the primary mode of getting to that money is actually through social engineering,” Rahmani added. “So to me, cybersecurity remains more of a psychology problem than a technology problem. You can’t attack it and solve it with technology alone.”
According to the 2024 Data Breach Investigations Report from Verizon Business, which covers November 2022 through October 2023, 30,458 cyber security incidents were investigated during that time, and 10,626 confirmed breaches across 94 countries. The public sector saw 12,217 incidents at the federal, state and local levels, the most of any sector.
The report’s
“They go where the money is,” the report noted. “Financially motivated threat actors will typically stick to the attack techniques that give them the most return on investment.”
Ransomware and other extortion breaches
Going forward, two big changes loom, Rahmani said: stronger commercially available artificial intelligence models and the maturation of quantum computing. The former could open the door to hackers using AI to write novel malicious code, which would upend traditional countermeasures that rely on cataloging known code. The latter threatens to render obsolete everything we know about cryptography, he said.
“It’s going to come back to the human element far, far more,” he said. For the public sector’s risk perspective, what that means is that the top concern is not anticipating the sophistication of new attacks. They’re going to keep evolving.
But even with the most recent attack garnering some media attention, cyber security is not always at the forefront of people’s minds, Danahy said.
“There isn’t this ongoing systemic attention to making things better because it only happens in municipality once or maybe twice,” Danahy said. “But at the same time, it happens so frequently that the marketplace as a whole is getting kind of jaded.”
“We’re in this weird place where there isn’t enough sustained focus on individual incidents to encourage organizations to learn a lot from them, do better, share those learnings with others,” he said.
However, due to increased reporting and public understanding, “we may be reaching a confluence where people start to do things,” Danahy said.
“I’m hopeful that the industry itself will come together and address what’s needed for disclosure, for practices to address the situation in Michigan,” Erdman said.
“The key thing is working together to find a solution and find a best practice,” he said. “This isn’t a this isn’t a Midwest problem. This isn’t a Far West problem, not an East Coast problem. This is a national problem.”
