Fitch says code glitch may make municipalities vulnerable to ransomware

A glitch in a computer code that’s widely used by municipalities may pose a significant risk to them, leaving them open to cyber attacks and ransomware demands, Fitch Ratings said on Friday.

Public finance entities running Java-based software are broadly exposed due to the widespread use of the open-source Log4j (Log4Shell) computer code, Fitch said in its report.

This could result in increased ransomware attacks, which would put pressure on public finance entities’ operations and finances, the agency said.

“Compromised systems can directly affect public finance entities in the near term through ransom payments and/or the costs of remediation and restoration of data and service,” said Fitch's Associate Director Omid Rahmani, lead author of the report. “Over the longer-term economic disruption from cyberattacks could lead to loss of revenues for state and local governments and enterprises.”

Fitch noted the impact of a cyberattack on an issuer's rating would depend on whether it has a material financial, operational or reputational risk to the issuer as well as the effectiveness of its disaster recovery and operational continuity plans.

“Pressures that result in a deterioration of financial metrics could lead to negative rating actions,” he added.

Additionally, already-expensive cyber insurance may become unattainable for those not able to show robust cyber defenses.

Providing a clean bill of health to municipalities using the code may be difficult, he said, compounding the existing challenges that public finance issuers face in acquiring cyber insurance.

"Insurer guidelines necessitate ever more stringent security audits and adherence to industry best practices, such as staffing and system and software updates, in order to qualify for cyber insurance," Rahmani said. "Cyber insurance was already increasingly unaffordable for public entities with smaller budgets, with diminishing coverage limits and increasing insurance premiums, and Log4Shell will exacerbate this trend."

Experts say this may be one of the most serious cyber security threats in decades.

The U.S. Cybersecurity and Infrastructure Security Agency has called the vulnerability “critical” and documented international threat actors gearing up to exploit it.

CISA has advised users to prioritize software updates. However, due to the widespread use of the code, it is expected that it will be difficult to identify and fix quickly.

“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” CISA Director Jen Easterly said last month. “End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”

In the past three years, cyber attacks on public finance entities have increased, Fitch said.

“Log4Shell makes the risk of attacks more acute due to the ubiquity of Java-based software, the prevalence of a patchwork of legacy systems across the sector and the finite resources of IT staff,” Rahmani said.

Fitch says that robust systems monitoring, capital investment in digital assets, regular software updates, network segmentation and employee and management vigilance against phishing are the important safeguards against cybercrime.