Skip directly to Accessibility Notice
  • Muni Nation

    Cybersecurity and Municipal Bonds: Part 1

    Jim Colby, Portfolio Manager
    August 16, 2017

    This is part one of a three part series by Jim Colby, Municipal Bond ETF Portfolio Manager at VanEck, that explores the intersection between cybersecurity and the municipal bond market. Part 1 looks at what is at stake; Part 2 describes ways in which these issues can be addressed; and Part 3 discusses possible drivers to action.

    Cybersecurity Challenges Impact Government: At Federal, State, and Local Levels

    The importance of cybersecurity has never been more apparent. Cybersecurity issues are a growing challenge that impact many aspects of our economy, including most of the services provided by municipal borrowers.

    Although not readily obvious, municipal services are vital to the smooth running of daily life. These services run the gamut, including funding and managing traffic lights, supplying electric and sewer services, water supply, maintaining/building roads, building bridges, supervising elections, running hospitals, and providing mental and physical health support.

    Safeguarding municipal services is vital at all levels: federal, state, and local. Both government and the private sector are spearheading important security initiatives to meet the growing cybersecurity challenges that are involved.

    What is at Stake?

    Municipal governments are involved in most aspects of our lives, and each service provided is subject to unique cybersecurity issues.

    Here is just one example.

    Municipal governments collect (and need to "safeguard") a tremendous amount of information – any or all possibly containing personally identifiable information (PII) or sensitive personal information (SPI) – including, of course, Social Security numbers. Examples of how this information is collected include house deeds, mortgage documents, records of births, marriages, deaths, medical records, driver licenses, and court documents (e.g., divorce settlements).

    Both PII and SPI are subject to the impacts of cybersecurity personal identity theft, and awareness of identity and access management (IAM) is playing an evolving role in tightening cybersecurity frameworks in both the public and private sectors.

    Examples: Federal Cybersecurity Incidents

    Each year, in a report to Congress, the Office of Management and Budget (OMB) provides "summary information on the number of cybersecurity incidents that occurred across the government and at each Federal agency."1These incidents are notable not only for their number, but also for their variety, as shown in the following table.

    Federal Agency Reported Incidents by Attack Vector – Fiscal Year 2016

    Attack Vector Description CFO* Non-CFO* Govt-wide
    Attrition Employs brute force methods to compromise, degrade, or destroy systems, networks, or services. 108 1 109
    E-mail/Phishing An attack executed via an email message or attachment. 3,160 132 3,292
    External/Removable Media An attack executed from removable media or a peripheral device. 132 6 138
    Impersonation/Spoofing An attack involving replacement of legitimate content/services with a malicious substitute. 60 4 64
    Improper Usage Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories. 3,920 210 4,130
    Loss or Theft of Equipment The loss or theft of a computing device or media used by the organization. 5,313 377 5,690
    Web An attack executed from a website or web-based application. 4,766 102 4,868
    Other An attack method does not fit into any other vector or the cause of attack is unidentified. 11,365 437 11,802
    Multiple Attack Vectors An attack that uses two or more of the above vectors in combination. 789 17 806
    Total   29,613 1,286 30,899

    Source: FISMA FY 2016 Annual Report to Congress.
    *Chief Financial Officers Act agencies are those agencies designated in the CFO Act (with the addition of Department of Homeland Security and minus the Federal Emergency Management Agency). In practice, the CFO Act agencies are the 24 largest Federal agencies in terms of budget; the 23 civilian CFO Act agencies are the CFO Act agencies minus the Department of Defense.

    Examples: Municipal Cybersecurity Incidents

    The breadth of cybersecurity incidents that can impact municipalities is deep and wide. The following are a sample of notable cybersecurity incidents that have impacted the municipal space over the past several years.

    Personal Information

    October 2014 – Personal information, including Social Security numbers, of more than 850,000 people possibly compromised when hackers gain access to Oregon Employment Department database.2

    February 2016 – Hollywood Presbyterian Medical Center pays 40 bitcoin (around $17,000) to hacker who "seized control of the hospital's computer systems and would give back access only when the money was paid."3


    August 2003 – On August 14, 2003, nearly 14 years ago, millions of people in both Canada and the U.S. were hit by the great Northeast blackout caused primarily by a software bug. There was no power to run the trains, and no power for pumping domestic fresh water, treating raw sewage, running lighting, refrigerators, and air conditioning, filling up with gasoline, accessing electronic airline tickets, running cable TV, and recharging cell phones. This situation was caused by a software accident, and not a breach cybersecurity, but its impact was enormous.

    Fast forward to 2015 in Ukraine.

    December 2015 – It was certainly no accident on December 23, 2015, when malicious hackers deprived some 230,000 people in the Ivano-Frankivsk region of West Ukraine of power for up to six hours. The power company Prykarpattyaoblenergo's control center had fallen victim to a sophisticated cyberattack.

    Although this happened many thousands of miles away, according to one article: "the control systems in Ukraine were surprisingly more secure than some in the U.S."4Should a future power grid cyberattack occur in the U.S., the impacts could be enormous. While the event in Ukraine may have affected only 230,000 people, the Northeast blackout of 2003 was estimated to have affected at least 55 million people in both Canada and the U.S. Eleven people died.5

    March 2016 – The U.S. Justice Department indicted seven Iranians not only for cyberattacks on a number of American banks, but also for trying to take over the controls of a small suburban dam in Rye, New York.6

    How Can These Cybersecurity Issues be Addressed?

    The next piece in our three part series will describe some ways in which the issues can be, and already are being, addressed. For some years now, initiatives have existed both to "enhance the security and resilience of the Nation's critical infrastructure"7and provide "timely and actionable information" to "state, local, tribal and territorial (SLTT) governments."8


    This content is published in the United States for residents of specified countries. Investors are subject to securities and tax regulations within their applicable jurisdictions that are not addressed on this content. Nothing in this content should be considered a solicitation to buy or an offer to sell shares of any investment in any jurisdiction where the offer or solicitation would be unlawful under the securities laws of such jurisdiction, nor is it intended as investment, tax, financial, or legal advice. Investors should seek such professional advice for their particular situation and jurisdiction.

    VanEck does not provide tax, legal or accounting advice. Investors should discuss their individual circumstances with appropriate professionals before making any decisions. This information should not be construed as sales or marketing material or an offer or solicitation for the purchase or sale of any financial instrument, product or service.

    Please note this represents the views of the author and these views may change at any time and from time to time. MUNI NATION is not intended to be a forecast of future events, a guarantee of future results or investment advice. Current market conditions may not continue. Non-VanEck proprietary information contained herein has been obtained from sources believed to be reliable, but not guaranteed. No part of this material may be reproduced in any form, or referred to in any other publication, without express written permission of VanEck. MUNI NATION is a trademark of Van Eck Associates Corporation.

    Municipal bonds are subject to risks related to litigation, legislation, political change, conditions in underlying sectors or in local business communities and economies, bankruptcy or other changes in the issuer’s financial condition, and/or the discontinuance of taxes supporting the project or assets or the inability to collect revenues for the project or from the assets. Bonds and bond funds will decrease in value as interest rates rise. Additional risks include credit, interest rate, call, reinvestment, tax, market and lease obligation risk. High-yield municipal bonds are subject to greater risk of loss of income and principal than higher-rated securities, and are likely to be more sensitive to adverse economic changes or individual municipal developments than those of higher-rated securities. Municipal bonds may be less liquid than taxable bonds.

    The income generated from some types of municipal bonds may be subject to state and local taxes as well as to federal taxes on capital gains and may also be subject to alternative minimum tax.

    Diversification does not assure a profit or protect against loss.

    Investing involves substantial risk and high volatility, including possible loss of principal. Bonds and bond funds will decrease in value as interest rates rise. An investor should consider the investment objective, risks, charges and expenses of a fund carefully before investing. To obtain a prospectus and summary prospectus, which contain this and other information, call 800.826.2333 or visit Please read the prospectus and summary prospectus carefully before investing.