Midwest public sector grapples with rising cybersecurity challenge

When a ransomware attack struck the city of Huber Heights, Ohio, Nov. 12, it first showed up in a 911 dispatch center computer. A Russian hacker group known as Black Suit, said City Manager Richard Dzik, went on to encrypt multiple city servers and machines, and ultimately gained access to the data of about 5,000 people.  

To make matters worse, the Dayton suburb's IT director had just resigned about 10 days earlier, and the city had yet to find his replacement. 

Fortunately, Huber Heights had cyber insurance at the time. So city officials could move quickly to cut off the attack and restore affected machines from backups.

Sign at border of Huber Heights, Ohio
After a ransomware attack, Huber Heights, Ohio, invested over $700,000 in redesigning and securing its IT network.
Bloomberg News

"We shut down the city's network, brought in cybersecurity specialists and relocated the dispatchers to the county dispatch center," Dzik said. "Public safety departments were unaffected throughout the incident."

Huber Heights is part of an escalating arms race between public sector organizations and hackers, one that is costing organizations more but has largely not resulted in bond rating impacts.

In 2022, ransomware attacks hit 106 local governments, 44 universities and colleges, 45 school districts running 1,981 schools and 25 healthcare providers operating 290 hospitals, according to a January 2023 report by Emsisoft, an anti-malware and enterprise security company. Recent estimates suggest attacks have only risen since then.

The city refused to pay the ransom, although 2,000 people will need credit monitoring services as a result of the attack. Working with the contracted cybersecurity firm, the Federal Bureau of Investigation and the Secret Service, city IT staff restored most city operations to normal within three weeks. Non-essential IT functions were still being brought back online last month.

Today, Huber Heights has a cybersecurity firm monitoring its network nonstop; the firm reports directly to the new IT director and city manager. Next week, the city will host cybersecurity community workshops at the request of the City Council, the goal being to teach residents how to keep personal information safe.

"Additionally, the city, through the approval of the City Council, invested over $700,000 in redesigning and securing the city's IT network to prevent future incidents," Dzik said.

According to Huber Heights' 2022 annual report, as of Dec. 31, 2022, the city of 43,000 had $34.75 million of general obligation bonds and notes outstanding.

Moody's Ratings assigns its underlying Aa3 issuer rating to Huber Heights and to its general obligation limited tax bonds; S&P Global Ratings rates the GOs an underlying AA-minus.

The frequency of cyberattacks has grown by 26% a year in North America over the past seven years, according to an April 4 report by Moody's. In 2023, global ransom payments surpassed $1 billion for the first time.

Moody's found that 87% of issuers private and public now carry specialist, standalone cyber insurance policies, up 21 points from 2021. Such policies cover business interruption expenses, incident response and ransom payments, among other things, although law enforcement advises never to pay the ransoms.

More broadly, private and public sector issuers together reported a 65% increase in spending on cybersecurity over the past five years. Those budgetary increases have fueled a 25% jump in in-house cyber talent. 

"Only regional and local governments trail in this regard, with 44% reporting they still have no dedicated, full-time cyber staff," Moody's noted. But "so far, the organizations we rate have had sufficient resources to cope with cyberattacks, and we have only seen a dozen cyber-related credit rating events as a result."

When hackers targeted the city of Oshkosh, Wisconsin in January 2020, the city had just recently purchased cyber liability insurance in 2019. The ransomware attack took Oshkosh's computer systems down for about a week before the city's IT team restored public-facing systems, although it took until Feb. 28 to achieve 90% restoration of city functionality. 

IT Division Manager Tony Neumann said the insurance company helped with everything from remediation efforts to preventive measures to end-user cybersecurity education. Oshkosh, like Huber Heights, refused to pay the ransom.

"Having a cyber liability policy allowed for a separate level of auditing and assistance from the administrative side," he said. "The insurance company engaged a third-party cyber forensic firm and [gave] legal time to review the incident and determine the city's scope of liability and the depth of the intrusion."

aerial view of Oshkosh, Wisconsin
Oshkosh, Wisconsin, had just taken out cyber liability insurance when it was hit with a ransomware attack. The city's IT director says the insurance helped it recover from that attack and prevent future ones.
VisitOshkosh.com

Membership in InfraGard has also helped, he said. InfraGard is a nonprofit alliance with the FBI for education, information sharing, networking, and workshops on emerging technologies and threats.

Neumann said it has given him advance notice of malicious actors and emerging threats ramping up "in the wild." He's also benefited from membership in the Governmental Information Processing Association of Wisconsin, a discussion forum for local and county governments around shared issues. 

Neumann reports to Oshkosh's director of administrative services and the assistant city manager. His direct line of communication to key officials allows them to "see the day-to-day operations and understand the criticality of the uninterrupted services we provide," Neumann said. 

Oshkosh, population 66,000, had $368.5 million in general obligation and revenue bonds outstanding as of Dec. 31, 2022, according to its 2022 annual report. Moody's rates the city and its GO debt Aa3 underlying.

In its report, Moody's emphasized the importance of dedicated cyber staff in building cyber preparedness, but noted that regional and local governments trail other public and private sector organizations in having an individual whose chief responsibility is overseeing cybersecurity.

"We've been following attacks across cities, counties, utilities, school districts, and they are many and they're growing in nature," Orlie Prince, a senior vice president at Moody's who leads the rating agency's task force for cyber finance, told The Bond Buyer. "However, they have not had an impact on any of our [regional and local government] ratings yet."

Nonetheless, "we have a lot of concerns," said Gregory Sobel, an assistant vice president-analyst at Moody's. "We've seen some pretty significant improvements, but they [regional and local governments] still really lag behind other sectors."

Most of the local governments that Moody's rates have some form of cyber insurance, decent financial reserves and good liquidity, they said. But Sobel said there's the issue of standalone cyber policies versus general liability policies: "We do believe that standalone policies are more advantageous, so we are looking at that," he said.

They're also looking at third-party vendor risk, a serious concern for local governments that rely on cloud computing more than other sectors. They want to see cybersecurity prioritized organizationally, as evidenced by cybersecurity managers reporting to top leaders. And they want to see timely security updates, multi-factor authentication, incident response plans, advanced vulnerability testing and frequent patches.

Hackers are not only targeting local governments. Healthcare is one of the most attacked sectors; it's also one of the most vulnerable technologically. That became clear most recently when a cyberattack sidelined Change Healthcare, which acts as an intermediary between hospitals and insurance companies. 

Change is a healthcare payment cycle management company and a subsidiary of UnitedHealth Group, a healthcare services provider.  Change handles one in every three patient records in the U.S., according to the Department of Health and Human Services

On Feb. 21, hackers gained access to the Change Healthcare network. UnitedHealth promptly disconnected Change's systems to prevent contagion, the company said in a statement.

"That's been probably the biggest attack on the industry as a whole," said Matthew Cahill, a Moody's assistant vice president-analyst. "When Change went down, our hospitals couldn't get paid… The good news for our healthcare portfolio is, our organizations tend to have pretty strong balance sheets in terms of liquidity. So they can handle a little bit of a delay in payment, which is really the big issue with this Change Healthcare attack."

Cahill said things are now "pretty much back to normal," although there's still a little bit of work left to do. The hospitals Moody's rates, he added, had access to lines of credit or short-term liquidity and were able to ride out the Change attack. 

Another high-profile cyberattack hit Lurie Children's Hospital in Chicago, a nonprofit hospital affiliated with Northwestern University, on Jan. 31. The cyberattack tanked Lurie's phone, email and medical records systems, according to Becker's Health IT.

By this month, the hospital had gotten its phone, email, health records and charts back online, but its patient portal remained scrambled as of last Tuesday, Becker's reported. Lurie did not respond to phone calls or emails requesting comment.

Lurie has a handful of bond series outstanding, according to the MSRB's EMMA website. They are rated AA by Fitch Ratings and AA-minus by S&P.

Most issuers have so far managed to avoid the nightmare scenario for local governments and nonprofit hospitals alike: a crippling cyberattack followed by a rating downgrade. That's what hit Capital Region Medical Center in December 2021. 

The Jefferson City, Missouri, hospital is part of the University of Missouri's MU Health Care system.

In 2022, Moody's downgraded CRMC to speculative grade Ba2 from investment-grade Baa2, saying a cyberattack had added to "existing operational challenges" to produce a sudden deterioration in liquidity. In August 2023, it upgraded the hospital to Ba1 with a positive outlook. It withdrew the rating in January, an action that coincided with Capital Region's full integration into MU Health Care. The hospital did not respond to requests for comment.

The things to watch out for from a credit standpoint, Moody's analysts said, are outages of prolonged duration or attacks that worsen preexisting stressors.

"In the case of Capital Region Medical Center, the cyberattack caused disruption on top of other underlying credit stress," Cahill said. "So there's the labor shortage; I think they had an IT conversion at the time; and then this was kind of the straw that helped break the camel's back. So when combined with other headwinds is where we really see issues."

To ward off that scenario, issuers have to keep fortifying their defenses in the ongoing cybersecurity arms race that has overtaken the public sector. 

"The more secure your systems are, the less likely you're going to be attacked," said Prince. "And the less likely you're going to be put in a situation where you're going to have to pay ransom."

For reprint and licensing requests for this article, click here.
Trends in the Regions Public finance Cyber security Ohio Wisconsin Illinois Missouri
MORE FROM BOND BUYER