When White Lake Township, Michigan, disclosed a hack of its bond closing last year, it signaled a need for the municipal market to implement better practices to secure financings.
Cyber criminals intercepted White Lake's $29.064 million competitive deal proceeds in late November,
By January, the township was preparing to return to market
Experts and market participants say the White Lake
At The Bond Buyer's 2025 National Outlook Conference, panelists in the Live Market Survey session agreed on the need to address cyber threats.
Panelist Belvia Gray, principal and public finance leader at Baker Tilly, said there's an opportunity for the industry to collaborate on guidelines and coordinate efforts around cybersecurity. She said her firm, which completed more than 300 transactions last year, now hears from clients about whether the diligence portion of the transaction involves readiness for cyberattacks.
The industry has gotten so used to doing business electronically that sometimes market participants do not meet in person anymore, and individuals may not know the actual person with whom they are dealing, said David Womack, deputy director for financing policy and coordination for the New York City Mayor's Office of Management and Budget, during the panel discussion.
"You can look at technological solutions, but we're the ones that have to hold support," Womack said. "Maybe I'm old-fashioned, but we've lost that personal touch where we know who the trustee is, we know who the counsel is, we know who the underwriter is. We know those people. And if we get an email from somebody, and we've never heard of who is that, we don't know who that is."
White Lake alone will not drive solutions to this problem, said Omid Rahmani, public finance cybersecurity lead at Fitch Ratings, in a separate interview.
"There probably needs to be more momentum, and I hate to say that, but usually you need something to become persistent and get a lot of attention for an innovation to actually get adopted," he said.
Financial cybercrime is already growing. Robert White, CEO of BaseFund, which secures transactions in the municipal, corporate and banking sectors, said some insurance companies think the true scale of the wire fraud problem in the U.S. is larger than current estimates suggest.
"It's everybody, even banks," he said of players looking to secure transactions from threat actors. "We haven't talked to a bank that hasn't lost six to seven figures per year to wire fraud. And that's tiny banks all the way to the largest banks."
A distinct but related problem has also been growing. The public sector was the third most-targeted sector by nation-state cyber threat actors in 2024, according to Microsoft Threat Intelligence's global 2024
"We have seen a marked increase in the interest of adversarial nation states in targeting [state and local governments in America]," Rahmani said. "In the U.S., we do a lot to separate local from state from federal power, and everyone does their utmost to stay in their own lanes. … Adversarial nation states don't differentiate. … They see American government as American government. Which is why in the last two years, we've seen very high-profile, very alarming nation state-led attacks on our sector."
White Lake hints at wider problem
BaseFund's White worked as a municipal advisor in Texas for 15 years, and said hacks like the one that hit White Lake are becoming more common. The problem is exacerbated by America's transparency laws, which, while "a great thing," enable threat actors to watch deals and find the right points to target, he said.
And nobody was addressing the problem because there was no open discussion of the threat.
"You don't want that on the street, necessarily, when it does happen to you; but I saw it firsthand, and I have many friends who are still in the business who have to fight that problem or have had it occur," White said. "It's something that keeps increasing."
The Americas saw $102.6 billion in payments fraud in 2023, according to Nasdaq's 2024
U.S. residents lost $1.8 billion through bank transfers or payment apps and $343.7 million through wire transfers in 2023, according to the
About 60% of financial institutions said fraud has grown across consumer and business accounts in the last year, according to
"There hasn't been a massive push on technology on the issuance side of the debt," White said. "There's a lot of technology that exists on the underwriting side, [but] not so much on the other side."
Firms spend money on internal systems and safeguards, but if they don't extend protections to external participants, especially issuers, there will be vulnerabilities, said Matthew Gerstenfeld, CEO and co-founder of fintech firm Munichain.
Email remains a major weak point, as most shops' security measures end at their internal walls. Email threads, filled with sensitive data, are "floating around in an unsecured environment, creating multiple entry points for threat actors," he said.
"The inability to extend secure infrastructure beyond internal systems leaves many firms vulnerable," Gerstenfeld said.
"Without secure interoperability with external parties, these risks will continue to persist," he said.
As the threat has escalated, munis haven't kept up. Rahmani noted "the public sector has absolutely been in the crosshairs" the last few years, but he said local government is also the least mature sector out there in terms of cybersecurity.
"The siloing of information, especially threat information, is one of the best ways to assist the threat actors," he added.
Cyber insurance is no panacea
Cyber criminals have capitalized on human error as much as technological weaknesses.
"Banks move money, but people coordinate capital," White noted.
Compounding the problem is wire transfers can't be recalled the way an Automated Clearing House Network (ACH) transfer can. In the securities industry, most people deal with wire transfers due to the size of the payments and the finality that's needed, White noted.
More local government issuers are now aware of the need to take out a cyber insurance policy. But cyber insurance is not a substitute for a cybersecurity strategy.
"Cyber insurance is only one form of risk transfer, and … it should not be regarded as [a primary risk transfer]," Rahmani said. "Organizations need to be a lot more proactive in adopting a vertical culture of cyber hygiene, and really focusing on strengthening and maturing their cyber security philosophies."
Overreliance on cyber insurance provides a false sense of security, with policyholders often unclear on the conditions and limitations that come with their policy, he said. And cyber policies often prove inadequate.
Roughly 40% of IT leaders are unsure what their cybersecurity policy actually covers, according to
Cyber incidents have also risen in recent years for organizations of all sizes, with healthcare and financial services seeing higher claim costs, according to the
Other pitfalls include high denial rates and rising premiums. Underwriting requirements are changing and annual cyber insurance premiums are projected to rise by 15% to 20% annually by the end of 2026, reaching about $23 billion from $14 billion at the end of 2023, according to a
And
Market responds with new strategies
The industry is starting to react to the rising threat. Platforms like BaseFund have sprung up. The company secures transactions ranging from under $1 million to over $250 million, with municipal advisors and bond attorneys as its primary clients.
BaseFund deploys multi-factor authentication, identity verification, what White calls "pre-plumbing the transaction" and micro-depositing to secure transactions.
Munichain works closely with its clients to "implement sensitive data controls that are now in use — allowing users to manage access, revoke permissions, and track changes in real-time," said Gerstenfeld.
And cybersecurity discussions are now taking place in industry forums, like The Bond Buyer's National Outlook conference, where Baker Tilly's Gray shared that her firm has been focusing on the bond sale, bond closing and delivery processes — on "the spots where there is money that's being exchanged and how we can strengthen the ways in which we're providing that communication to all the relevant parties and the working group."
While transparency is needed, the issuer has to "strike a balance" between saying enough and not saying too much, noted panelist Diana Hamilton, president of Sycamore Advisors.
When New York City and its governmental authorities and agencies come to market with a deal, there is a separate call with the city's office of technology and information that manages its cybersecurity practice during the due diligence portion of the transaction, New York City's Womack said during the panel.
"We can tell you what we're doing on a holistic basis, but to get granular almost gives the cyber criminals a roadmap, and you don't really want to do that," he said.
Regional cyber labs have also formed in some parts of the country. Pioneered by Dr. Brian Gardner — now deputy chief information officer for the city of Austin — they are informal information-sharing networks of chief technology officers or chief information officers for local governments.
Rahmani said there are a few in California, a couple in Texas, one in Idaho and several in Colorado. They sprang from a realization that a common belief about cyberattacks — you can call the Federal Bureau of Investigation, and they will fix the problem — is misguided. The FBI's job is to bring charges, not help an organization recover.
"Because there was a realization that there is no cavalry, that we're basically all we've got, municipal entities started collaborating … on things like shared threat intelligence, response resources and lessons learned; coming together and doing exercises; making sure their staff is in communication with one another," Rahmani said.
The regional cyber labs model has the potential to grow across states and even nationwide, creating a web of threat intelligence-sharing for local governments, he said.
Professional associations are also starting to roll out best practices. The Government Finance Officers Association released guidance on wire fraud for its members earlier this month.
"These fraud prevention measures, including sending the government's banking information through encrypted means, should be adhered to by all vendors and bond deal team participants to prevent fraudulent activity,"
But there is growing consensus that more steps are needed to prevent situations like the White Lake hack from recurring.
"If it hasn't happened to you, then you don't take it as seriously," White said. "You think, 'Well, our system's doing fine, nobody has done this [to us].' … I just think it's unfortunate that we need more of these things to happen and be on the news for people to make the change quicker."
