A school district in Texas fell victim to a phishing attack, causing the district to miss payments on three of its bond issues and defaulting on such issues. As a result, the intended bond payments were instead electronically transferred via an automatic clearing house to a fraudulent account. Moody’s Investor Services considered the default an administrative default and not a payment default. This is because even though the school district missed the payments, it was not for an inability or unwillingness to make the payments.
Cybersecurity threats have been increasingly considered as a general risk to the credit rating of municipalities and other public entities. For example, if a municipality’s infrastructure is targeted for ransom, such an attack could affect the municipality’s ability to pay its outstanding bond issues generally. In 2018, Joe Mielenhausen, a spokesperson for Moody’s, was quoted in The Bond Buyer that Moody’s views “cyber risk as event risk – an incident with a low probability, but potentially high impact.”
Issuers should take note as this phishing attack actively targeted the bond payments themselves. Cybersecurity attacks are likely to increase in frequency and sophistication. This is an issue which should not simply be characterized as a buzzword, or a concern for municipal finance in the future. The Texas school district was able to allocate money from its general fund to make the missed bond payments, but that may not be possible for every issuer.
As cybersecurity attacks become more sophisticated and prevalent, it is important to speak with an attorney about steps that you can implement to reduce exposure to these types of attacks.