In today's evolving world of security and data privacy, K-12 schools, universities, local governments, and hospitals are increasingly finding themselves on the same list: vulnerable to the threat of a cyberattack.

Bad actors look at these institutions as a treasure trove of data, from structured information taking a standard form like names and addresses to unstructured information like how a student is behaving in class or how a patient is coping with a diagnosis. And with the COVID-19 pandemic forcing these same institutions to use more and varied technology, the door to increased cyberattacks has crept more and more open.

The bond market has taken note, increasingly including disclosures about the impacts of cybersecurity incidents and compliance in public offering documents.

Headed into 2024, increased focus on cybersecurity compliance and defense measures can help any institution in the event of a security breach or regulatory scrutiny. These efforts can have the added benefit of providing a strong story of proactive efforts that can have a positive impact on how lenders and the municipal bond market view a public institution.

Here's a look at what makes these institutions vulnerable to attacks in the first place and some measures to mitigate the risk.

Cybersecurity Policies, Processes, and Compliance Serve as Helpful Tools

The number of K-12 public schools that have suffered a ransomware attack nearly doubled between 2021 and 2022 to almost 2,000 a year, per a report by Emsisoft, a cybersecurity company. That statistic was detailed in a Wall Street Journal article last month on how hackers have proven to be a considerable risk for the municipal bond market.

It takes time, energy, and money to invest in protections against cyberattacks as well as shoring up security. If a public institution lacks the necessary resources, it is more likely worth the time of a bad actor to nefariously steal data and information.

Fortunately, there are a number of tools available for a public school or local government. For starters, institutions should strongly consider creating a written information security program or WISP. A WISP should include an incident response plan, which is reviewed and modified regularly to account for changes in personnel and structure. The WISP should also include a number of other policies focused on internal data security and controls that can serve as a guide for your personnel and as a touchstone for IT processes.

A WISP should have guidance for treatment of confidential information, like where to store and how to use personal information collected by your institution. This guidance should also touch on document retention and storage, among other topics.

Care should be taken that the practices outlined in the WISP remain in step with an institution's outward-facing privacy policy. Establishment of a robust WISP, and regular review, can serve as a strong signal of maturity of an institution's cybersecurity readiness program.

Practice Testing Your Cybersecurity Readiness

While practice likely cannot "make perfect" in an era of constant cyberattacks, it can greatly decrease the likelihood of a material breach and, if one does happen, can serve as a strong example of reasonable security measures that the institution employed to guard the information in its care.

Institutions should conduct regular security breach tabletop exercises to test their incident response process with a core team. These teams should also regularly test and train their personnel and seek objective assessment of their security infrastructure from outside sources. Again, the more institutions demonstrate their overall cybersecurity readiness and the practicing of those programs, the better chance they have to be viewed by the municipal bond market as a safe investment.

Vetting Outside Vendors

More often than not, public institutions are partnering with outside vendors to help store and manage their data. While a helpful option, these vendors are one more portal for a bad actor to access information that should not be accessed.

While it can be a challenging and time-consuming effort to vet vendors, it is an important step. Institutions should involve their IT leads in the contracting process and seek their input on the security measures promised.

Other steps institutions can take include ensuring that they have a strong agreement that protects the institution and specifically addresses the baseline security measures a vendor will employ along with sub-vendor approval, auditing rights, personnel vetting and training, and how the vendor will assist (and possibly pay) in the event of a breach. This sort of thoughtful and organized vendor contracting process can serve as a further boon to your cybersecurity readiness.

If the Worst Happens …

Data breaches happen.

In these situations, a privacy policy should be your road map for how to respond. Every second matters and communication with the proper authorities should happen in a timely manner.

The municipal bond market is increasingly attuned to the risks of cyberattacks to school districts, local governments, hospitals, and other public institutions. Having a road map and investing in cybersecurity readiness and IT systems to protect against hacks will be seen only as a credit-positive in the eyes of lenders and municipal investors.

[View source.]