Laws proposed or passed by several states prohibiting local governments from paying ransoms in cyberattacks are viewed as an encouraging trend by Moody’s Investors Service.
The laws enhance preparedness and incident response, which Moody's wrote in a commentary, are both credit positives for local governments.
“The measures to prohibit ransomware payments will encourage local governments to be more proactive in implementing cyber risk prevention initiatives, since they know they will not be able to pay cybercriminals for the keys to the ransomware,” Moody’s Assistant Vice President Gregory Sobel said.
The measures also require local governments to report
North Carolina’s stringent law approved in November
New York’s Senate bill,
The Pennsylvania Senate approved its law banning ransom payments, but it has languished in the House’s judiciary committee since January, according to its bill tracker website. A similar law in Texas died in committee.
Moody's acknowledged that banning ransom payments, while credit positive in the long term, might create “teething troubles” in the short term.
“For example, if a local government is attacked and cannot pay to restore system access, critical data could be lost and operations disrupted for an extended period,” the analysts wrote in Thursday's analysis. “As a result, the financial impact may be greater than if a municipality were allowed to make the ransom payment.”
The success of the laws will depend on the states’ willingness to enforce the laws and provide funding and management support for local governments.
Other states have created support systems that don’t involve banning ransom payments, Moody’s said.
Maryland’s governor signed a law that created a cybersecurity fund to help local governments upgrade their securities systems and requires certain local agencies to undergo annual security assessments. Arizona and Iowa have both created cybersecurity command centers to support local governments.
