Skip to main content
close search
site logo
Dive Brief

Log4j raises cyber risk for public finance entities, Fitch warns

Published Jan. 19, 2022
David Jones's headshot
Reporter
Mario Tama via Getty Images

Dive Brief:

  • The Log4j vulnerability may expose public finance entities, including local governments, utilities and infrastructure to serious cyber risk, putting pressure on their operations and finances as bad actors feel emboldened to launch ransomware or other malicious attacks, according to Fitch Ratings. 
  • Many local agencies and facilities have high exposure to Log4j, which is found in hundreds of millions of devices and applications around the world. Many of these organizations have a limited number of information security experts on staff, use legacy technology and lack the resources to rapidly assess their level of exposure to the vulnerability, according to Omid Rahmani, associate director, U.S. public finance at Fitch.
  • Cyber insurance coverage has become more difficult to maintain for these agencies and other local organizations, according to Rahmani. Premiums have risen sharply in recent years and insurance companies have increased demands for customers to conduct security audits and engage in best practices. In some cases insurers will deny coverage to organizations that fail to meet minimum standards. 

Dive Insight:

The warning comes at a time when municipal governments and other agencies are under pressure from a combination of limited revenue following the COVID-19 lockdowns, staffing shortages from exposure of workers to the virus, and increased cyber risk from nation-state threat actors and criminal activity.

The limited funding and technical expertise has left many of these agencies exposed and unprepared to deal with sophisticated cyber threats that have debilitated more sophisticated organizations. 

"There [are] a lot of proprietary or out-of-life Java-based applications that are used across the public finance world," Rahmani said during an interview. The demands on public servants are constantly increasing when it comes to IT and cyber risk.

Because of the complexity of Log4j, it's hard to translate the scope of the vulnerability to policy decision makers or taxpayers. 

"Log4j is not a straightforward software like many others had previously dealt with and it's difficult to assess even if you're using it," said Randy Rose, senior director of cyber threat intelligence at the Center for Internet Security.

In years past, investors had overlooked the risk of cyber threats to municipal governments and other local organizations. Rahmani said the 2018 ransomware attack against the city of Atlanta was a huge turning point, calling it a "watershed moment." 

Two Iranian nationals were later charged with launching the attack using "SamSam" ransomware, which infected almost 3,800 government computers. 

More recently, small critical infrastructure sites have been the target of ransomware and other cyberattacks. Last fall, foreign threat actors targeted regional grain co-ops in Minnesota and Iowa with ransomware. In October, federal authorities warned of attacks targeting wastewater and water treatment facilities. 

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell