Skip directly to Accessibility Notice
  • Muni Nation

    Cybersecurity and Municipal Bonds: Part 3

    Jim Colby, Portfolio Manager
    September 12, 2017

    Possible Drivers to Action

    This is part three of a three part series by Jim Colby, Municipal Bond ETF Portfolio Manager at VanEck, that explores the intersection between cybersecurity and the municipal bond market. Part 1 looks at what is at stake; Part 2 describes ways in which these issues can be addressed; and Part 3 discusses possible drivers to action.

    The Risk of Cyberattack

    We are all potentially at risk of cyberattack – directly or indirectly. When it comes to municipalities, this may not always be obvious to the average state or city taxpayer. However, it does not even seem to be that obvious to, or maybe even much appreciated by, many municipalities and/or states.

    Even with resources like the NIST Framework and US-CERT (see Part 1 and Part 2) available to them, governments and administrations appear to be moving slowly to protect themselves from cyberattacks – whether targeted at the sensitive information they hold or the services for which they are responsible. If they are actually doing anything, it is not readily evident. You would have thought that, at the very least, they would be telling taxpayers that they are "on it".

    Some investors may gain a modicum of comfort from the news that, despite the manifest dysfunctionality of its government in Springfield, the state of Illinois is now adopting mandatory cybersecurity awareness training for all state employees.1 It appears that Illinois is only the 15th state to require such training: What about the other 35?

    What Is There To Be Done About It?

    Addressing cybersecurity successfully will be predicated on a significant psychological shift in thinking. A shift to thinking first and foremost about prevention, not cure. As cybersecurity expert Hans Holmer2 described it to me the other day "…by externalizing the responsibility associated with cybersecurity, those who are vulnerable willfully ignore the fact that their security essentially boils down to just what they are happy to let the intruders/thieves/hackers… do".

    There are many different ways nefarious intruders can be slowed down, the impact minimized, and the cost reduced. But it all has to be done with front-end protection. Think of it as akin to donning a crash helmet before riding a motorcycle.

    All a Matter of Incentive

    In my view, the real key to success is incentivizing people to establish cybersecurity and to maintain it effectively. The difficulty lies in determining just what that incentive should be. Protection of property and essential services is a universal need, but urgency is still lacking.

    Possible Drivers to Action

    One possible driver to action could simply be alerting the public through their local media outlets just what havoc can be, and has been, wrought by cyberattacks. For example, at the National Health Service in the U.K. and the power company Prykarpattyaoblenergo in Ukraine. While the latter appears to have been a targeted attack, the former was simply about money. While both were malicious and extremely damaging, they could also be viewed simply as warning shots and indicative of what further might happen.

    Another driver could lie with municipalities' furthering their own commitments to high-quality and reliable public services. Terry Smith, CEO and founder of Smith's Cyber Security Gradings, believes that with the tradition of first-class service to uphold, public sector (both state and local) cybersecurity professionals are willing to meet the challenge, but the critical physical infrastructure is weak.

    I believe two other potentially effective approaches (if they were adopted) lie with the muni bond market itself. First, lenders should insist that bond issuers meet certain minimum standards of cybersecurity. These could be based on guidelines and standards set out by NIST and/or US-CERT. And their adherence to these standards will be monitored on a continuing basis.

    A commitment to and the subsequent maintenance of, these standards would be incorporated in municipal bond offering documents; that is, a clause covering cybersecurity would become standard. Its absence would likely result in a yield penalty to the issuer similar to what occurs with bond insurance.

    In the second instance, a commitment to and the recognition of standards by, credit rating agencies would have a direct bearing on an issuer's ability to obtain a stronger rating for the bond: the tradability of the bond would likely improve as a result. Cybersecurity gradings do already exist in the private sector, but not yet in the muni space.


    The services provided by municipal borrowers have always been, and remain, vital to our everyday life. The need to protect these services from possible disruption has become ever more important. Cybersecurity can help provide this protection. Cure, as opposed to prevention, is less and less an acceptable option. Luckily, initiatives such as those from NIST and US-CERT already exist. These have been designed to help all levels of government address the challenges of cybersecurity. Incentive remains the key issue.

    In sum, initiatives from analysts, bankers, and legal teams, in concert with issuers, to establish a standard clause in bond offering documents committing the borrower to establish and maintain certain cybersecurity standards are of paramount importance. Further, tying an issuer's credit rating to a commitment to, and subsequent maintenance of, certain cybersecurity standards needs the attention of credit rating agencies to provide the market incentive (lower cost) the issuers seek.


    Last week, security firm Symantec reported3 that dozens of energy companies, including some in the U.S., had been subject to hacker attacks in spring and summer this year. The firm's analysis found that "hackers obtained what they [power firms] call operational access … giving them the ability to stop the flow of electricity into U.S. homes and businesses." According to an article on the attacks in WIRED,4 Symantec noted that hackers had never before "been shown to have that level of control of American power company systems."


    This content is published in the United States for residents of specified countries. Investors are subject to securities and tax regulations within their applicable jurisdictions that are not addressed on this content. Nothing in this content should be considered a solicitation to buy or an offer to sell shares of any investment in any jurisdiction where the offer or solicitation would be unlawful under the securities laws of such jurisdiction, nor is it intended as investment, tax, financial, or legal advice. Investors should seek such professional advice for their particular situation and jurisdiction.

    VanEck does not provide tax, legal or accounting advice. Investors should discuss their individual circumstances with appropriate professionals before making any decisions. This information should not be construed as sales or marketing material or an offer or solicitation for the purchase or sale of any financial instrument, product or service.

    Please note this represents the views of the author and these views may change at any time and from time to time. MUNI NATION is not intended to be a forecast of future events, a guarantee of future results or investment advice. Current market conditions may not continue. Non-VanEck proprietary information contained herein has been obtained from sources believed to be reliable, but not guaranteed. No part of this material may be reproduced in any form, or referred to in any other publication, without express written permission of VanEck. MUNI NATION is a trademark of Van Eck Associates Corporation.

    Municipal bonds are subject to risks related to litigation, legislation, political change, conditions in underlying sectors or in local business communities and economies, bankruptcy or other changes in the issuer’s financial condition, and/or the discontinuance of taxes supporting the project or assets or the inability to collect revenues for the project or from the assets. Bonds and bond funds will decrease in value as interest rates rise. Additional risks include credit, interest rate, call, reinvestment, tax, market and lease obligation risk. High-yield municipal bonds are subject to greater risk of loss of income and principal than higher-rated securities, and are likely to be more sensitive to adverse economic changes or individual municipal developments than those of higher-rated securities. Municipal bonds may be less liquid than taxable bonds.

    The income generated from some types of municipal bonds may be subject to state and local taxes as well as to federal taxes on capital gains and may also be subject to alternative minimum tax.

    Diversification does not assure a profit or protect against loss.

    Investing involves substantial risk and high volatility, including possible loss of principal. Bonds and bond funds will decrease in value as interest rates rise. An investor should consider the investment objective, risks, charges and expenses of a fund carefully before investing. To obtain a prospectus and summary prospectus, which contain this and other information, call 800.826.2333 or visit Please read the prospectus and summary prospectus carefully before investing.