Cybersecurity poses an increasing challenge for municipal issuers beyond actual risks of attacks.
The practice of protecting computer systems, networks, and programs from digital attacks can expose management, budgeting, liquidity, debt and even rating vulnerabilities.
“We’re beginning to factor cyber risks into all our sectors,” Geoffrey Buswick, a managing director at S&P Global Ratings, said at the Bond Buyer’s National Outlook Conference in New York.
“It can affect how you gauge management [and] their willingness and ability to repay the debt,” Buswick said. “It can affect liquidity — if you pay a ransom, if you have to remediate a system. It can lessen your reserves. It can affect debt if you have to issue to resolve their problems.”
Public-sector ransomware attack targets in the past year included Atlanta and the San Diego school district — the latter exposing personal data of roughly 500,000 students — and two Ohio Valley Health Services & Education Corp. hospitals, including one in Wheeling, West Virginia, where ambulance service disruption affected its bottom line for two quarters.
“Since the exposures are so great, people are concerned about how the municipal bond agencies are going to deal with that, whether It’s water-related or related to other issues,” Alan Rubin, a resilience financing expert and a principal at Blank Rome LLP, said on a
In New York, the financial capital and where Mayor Bill de Blasio earmarked $41 million for cybersecurity in his fiscal 2019 budget, risk also provides a business opportunity.
Enter the city’s public-private partnership, Cyber NYC. Two Israeli companies, Jerusalem Venture Partners and SOSA, the latter an open innovation platform, are running point on a $100 million program by the quasi-public New York City Economic Development Corp.
(Audio: The
The city is providing $30 million with private funding to cover the other $70 million. The aim is to produce 10,000 jobs within five years.
“We vouched for New York even before reading the [request for proposals] for the global cyber center, but it came at a very good time for us,” SOSA chief executive Uzi Scheffer said in an interview at SOSA’s center on Fifth Avenue in Chelsea.
About 30 companies exist in the building, with thousands of people visiting throughout the year. “At SOSA, the physical space essentially is more of a meeting space than a working space.”
“We’re very happy to see it really growing quarter over quarter significantly, not only with the presence of Israeli tech companies here,” he said. “The city has identified cybersecurity as an opportunity, given that New York is the financial capital. New York is perfectly positioned to lead this.”
The city on Friday launched NYC Open Data Week, to run through March 9. City officials call it a week-long celebration of the city’s public data across all five boroughs. They have scheduled more than 45 events, exhibits, panels and workshops explore open-data use.
The Mayor's Office of Data Analytics co-founded Open Data Week in 2017 with civic technology nonprofit BetaNYC, collaborating with local partners annually.
New York City's economic fundamentals remain strong, according to Moody’s Investors Service, even after the collapse of the much-ballyhooed Amazon Inc. plan to add 25,000 jobs in Long Island City, Queens.
“Google and Facebook have expanded significantly in New York City without direct state or city support because they want access to its creative workforce,” Moody’s said.
Scheffer visits from SOSA’s Tel Aviv base every three weeks.
Israel, a tech hotbed, ranks first worldwide in startups per capita. Israeli firms or research and development centers developed the first USB flash drive, the latest Intel PC processor and Google’s Suggest function.
Mandatory military service that exposes its younger population to advanced technology and a wave of skilled immigrants have all contributed.
“What we see in Israel is a real dense hub of tech companies, and I would say they are characterized by being deep-tech companies,” Scheffer said. “Location itself is such a challenge that you must be able to innovate on a daily basis to stay in front of your surroundings just to survive, which is what we do as a mindset.”
According to Scheffer, who has met with major rating agencies in recent weeks, their carrot-and-stick approach is a plus.
“I think that will incentivize the rated entities to move forward and to stay at the forefront of what’s protectable [and] what’s out there to protect themselves,” he said. “We see how the rating business evolves as well with technology. So the rating companies themselves are now realizing that they, too, have to innovate and to integrate solutions that can mine data.”
Selling cyber awareness is still an uphill climb, Buswick said.
“I sometimes feel like we’ve been screaming fire in an empty theater. We’ve been trying to express this as something that is an important issue, but when we talk to the issuers around the country, it greatly varies …who’s prepared and what they’re even thinking about for the topic.”
In Connecticut, Gov. Ned Lamont is encouraging students to participate in Girls Go CyberStart, a national competition backed by cooperative cybersecurity research and education organization SANS Institute designed to encourage young women to explore related careers.
“The fields of computer science and cybersecurity are growing in demand, and we do not want our next generation of young women to be left out of this conversation,” Lamont said. “Exposing students to technology from an early age is the best way to engage them in considering this field as a career.”
Participants will use an online series of challenges that allow students to act as cyber protection agents to solve cybersecurity-related puzzles and explore cryptography and digital forensics.
Given an automation trend that includes employee layoffs, tech systems often hurriedly implemented without thought to cybersecurity also pose risks.
“Of even greater concern may the exposure of utilities like water and wastewater systems, and power systems to cyber attacks,” said Arto Becker, a partner at New York law firm Hawkins, Delafield & Wood.
“It’s important to note the tension between proper disclosure of cybersecurity risks and not providing a roadmap or a back door into an agency’s computer system or inadvertently tempting hackers to attempt to infiltrate a system by proclaiming the quality of the security.”
Technology may also boost the economy of rebounding cities. New Jersey’s largest city, Newark, was a top-20 finalist in the competition to land an additional headquarters for Amazon and could benefit from the Fortune 500 behemoth’s reversal in New York.
“We see almost every public entity today looking at how they can support the local tech ecosystem,” Scheffer said.
“And the places where we see that work are places that distinctively have a leading industry, or they have a local industry which is very distinct or leading on a global or national level, if it’s automotive for one city or mobility for another one, or even travel, or financial services if you look at the City of New York.
“If you say OK, cyber and New York City, does it make sense? The answer probably is yes, because of financial services being one-and-a-half times more probable to be attacked in terms of cyber attacks and because of the amount of financial organizations here.”
Quantifying success can be difficult, Scheffer said.
“Will it pay off in the long term? I don’t know. How do you know? You don’t know if someone didn’t try to attack you because you had a good reputation of defending yourself. There is no control group in this case.
“It is not a profit center. Investing in cybersecurity is necessary, not as a product that creates revenue, but it’s a necessity, like defending your borders.”
A state or city, according to Scheffer, is no different than a corporation. “It has to be managed.”