Oklahoma’s Pension Theft Has Limited Credit Impact, But Highlights Municipals’ Vulnerability to Cyberattacks

Moody’s has issued a comment, Oklahoma’s Pension Theft Has Limited Credit Impact, But Highlights Municipals’ Vulnerability to Cyberattacksnoting the Oklahoma Law Enforcement Retirement System (OLERS), for which the State of Oklahoma (rated Aa2/stable outlook) is the sole government sponsor, announced earlier this month that approximately $4 million had been stolen from it through a cyber e-mail attack. The retirement system has stated that the funds will be recovered, but even if they are not, the credit impact on the state is very limited because of the small size of the theft. The magnitude of the cyberattack suffered by Oklahoma’s pension system is minimal, and far less than potential losses from investment volatility. As of fiscal 2018 reporting, OLERS accounted for roughly 7% of the state’s total pension liabilities and assets, and the $4 million stolen from OLERS is less than 1% of its roughly $1 billion in assets

Nonetheless, the event highlights that municipal governments’ exposure to cyber risk extends to their pension systems, and underscores that US state and local governments are increasingly vulnerable to cyber risk. However, in general the sectors’ credit exposure to cyber risk is relatively low, given governments’ ability to limit financial risks and constrain operational impacts. Two key factors help to mitigate the potential impact of cyberattacks for US public pension systems. Similar to asset managers, US public pension assets largely reside at custodian banks, an effective transfer of some cyber security responsibility to a third party. Unlike asset managers, US public pension systems have a captive hold on member assets, and thus are not at risk of large-scale withdrawals from clients in the event of reputational damage resulting from a cyberattack. In the case of OLERS, the state has also indicated that it plans to better integrate OLERS’ cyber security infrastructure with that of the state and its other pension systems.

OLERS is not the first US public pension fund to report a low-magnitude cyber theft. The Iowa Public Employees’ Retirement System publicly reported a theft in the range of hundreds of thousands of dollars in 2017. Despite its relatively low impact, the theft of funds from OLERS demonstrates that in addition to their direct vulnerability, US state and local governments are also indirectly exposed to cyber threats via their pension systems because they are ultimately the sponsors responsible for funding benefit payments to retirees.

Please contact me if you have any questions or wish to speak to anyone at Moody’s. Thanks

Follow Moody’s Public Finance Twitter Feed at @MoodysUSPub Fin