In a May 28 note to investors, Breckinridge’s Alriona Costigan and Jesse Starks noted the disproportionate risk of cyber security attacks on small state and local governments.

Such governments lack funding to hire cyber security personnel and mount strong infrastructure defenses against hackers.

The estimated costs of two recent cyber attacks on municipalities (in dollar terms, since the loss of reputation cannot be quantified) are in the millions:

• Atlanta $17 million (2.6% of annual budget)
• Lancing, Michigan $2.5 million (7% of revenues)

According to the authors, Baltimore – the most recent large city under cyber attack – has yet to recover from a May 7 ransomware attack (its second in under two years; the City’s 911 system was hacked in March 2018). Staffers are unable to send or receive emails from City accounts, and some agencies are not able to perform routine processes such as revenue collection for parking and permits for property sales.

It was suggested that improved disclosure is a key step towards providing investors comfort on the cyber-readiness of issuers. In particular, investors will be hoping to gauge the seriousness in which senior government officers are handling cyber security issues.

In addition, beyond disclosure, issuers would be evaluated for their action plans in response to a successful cyber attack. Breckinridge recommended that issuers formulate a written disaster-recovery-and-response plan, provide clarity on the availability of funds for cyber security risk management and the presence of insurance.

Breckinridge is a large investor in the municipal bond space and one of the largest managers managing SMAs. The firm is considered a leader in developing ESG (Environment, Social, Governance) scorecards and sustainable investing.

Contact Jumanne Johnson at JJ@BuyMuni.com