A “sophisticated” cyber security attack compromised the closing of a recent Michigan township competitive deal to finance a Civic Center project, according to township officials.
White Lake Charter Township, Michigan, sold $29 million of limited tax general obligation bonds, Series 2024B, to Baird on Oct. 31. On the Nov. 21 closing date, the township learned it “has been the victim of a sophisticated cybersecurity attack, which compromised a financial transaction related to a new issue of infrastructure bonds,” Daniel Keller, chief of police of the White Lake Township Police Department, said in a statement.
Federal authorities, in conjunction with the White Lake Township Police Department, are investigating the matter, he said.
“While this matter is under investigation, certain aspects of the development of the Township’s new Civic Center have been placed on hold,” Keller said.
The issuer filed a material event notice with the Municipal Securities Rulemaking Board Tuesday.
A spokesperson for the FBI said in a statement it routinely assists its law enforcement partners upon request.
FBI policy excludes the confirmation of the existence of investigations, the release of information on investigations, and any public report on the closing of an investigation, the spokesperson said.
Baird, Bendzinski & Co. Municipal Finance Advisors, the municipal advisor, and Dickinson Wright, bond counsel, could not be reached for comment.
The frequency of cyberattacks, most of which are ransomware, has been exacerbated by the advancement of technology and artificial intelligence and the public nature of muni bond deals, such as the known issuer coming to market and the parties involved, said Tiffany Tribbitt, a managing director and head of municipal and cooperative power at S&P Global Ratings.
“When you have multiple players involved, the banks, the underwriters, the [financial advisors], the issuers, that will always increase your risk, because it’s that multilayered security that you need everybody playing off same handbook,” as criminals search for the “weakest link in the chain,” she said.
Whether the cyberattack affects the issuers’ rating depends on various factors, such as the issuers’ reserve levels and insurance “mechanisms” and whether federal investigators could return proceeds, Tribbitt said.
“You might have somebody who can absorb a pretty sizable loss and then somebody where that sizable loss is going to take them down,” she said. “So it depends on where they are and how much you can sustain.”
In the past, most issuers have managed to avoid the scenario for local governments and nonprofit hospitals alike: a crippling cyberattack followed by a rating downgrade.
The township is rated AA+ by S&P.
Tribbitt said she could not comment on the specific deal or the issuer’s rating.
Townships are less likely to be victims of cyberattacks than other issuers, according to an
“States are the most likely targets — all but one state are attacked at least once, followed by counties and school districts, roughly 10% and 4% of which are attacked at least once,” they said, while “cities, special districts, and townships have significantly lower probability of being attacked, hovering at around 2% or less.”
“While cyberattacks do not appear to impair the ability of governments to tap the municipal bond market, entities hit by a data breach face greater financing costs,” they said.
Primary market yields are 10 to 13 basis points higher after a data breach, or up to a 5% increase relative to the average bond yields, they said.
“These effects are also permanent and persist for over three years after the cyberattack, suggesting that government may do little to alleviate investor concerns about cybersecurity risks in the intermediate and long-run,” the economists said.
Over the past seven years, the overall frequency of cyberattacks has grown by 26% a year in North America, according to Moody’s