State bans on cyber ransom payments viewed favorably by Moody’s

Laws proposed or passed by several states prohibiting local governments from paying ransoms in cyberattacks are viewed as an encouraging trend by Moody’s Investors Service.

The laws enhance preparedness and incident response, which Moody’s wrote in a commentary, are both credit positives for local governments.

“The measures to prohibit ransomware payments will encourage local governments to be more proactive in implementing cyber risk prevention initiatives, since they know they will not be able to pay cybercriminals for the keys to the ransomware,” Moody’s Assistant Vice President Gregory Sobel said.

The measures also require local governments to report cyber incidents, which increases the likelihood of “a coordinated response with better-equipped state governments,” Sobel said.

North Carolina’s stringent law approved in November prohibits municipalities from paying a ransom related to a ransomware attack and even communicating with any cybercriminals instigating the ransomware attack. Florida’s House Bill 7055 that prohibits ransom payments passed the House and Senate and awaits the governor’s signature.

New York’s Senate bill, S6806A, that would prevent government, businesses and healthcare entities from paying a ransom, is in committee. 

The Pennsylvania Senate approved its law banning ransom payments, but it has languished in the House’s judiciary committee since January, according to its bill tracker website. A similar law in Texas died in committee.

Moody’s acknowledged that banning ransom payments, while credit positive in the long term, might create “teething troubles” in the short term.

“For example, if a local government is attacked and cannot pay to restore system access, critical data could be lost and operations disrupted for an extended period,” the analysts wrote in Thursday’s analysis. “As a result, the financial impact may be greater than if a municipality were allowed to make the ransom payment.”

The success of the laws will depend on the states’ willingness to enforce the laws and provide funding and management support for local governments.

Other states have created support systems that don’t involve banning ransom payments, Moody’s said.

Maryland’s governor signed a law that created a cybersecurity fund to help local governments upgrade their securities systems and requires certain local agencies to undergo annual security assessments. Arizona and Iowa have both created cybersecurity command centers to support local governments.