Cybersecurity has become a critical issue for all organizations. A few examples can underscore the just how serious this threat has become. The United States military has set up the Cyber Command, a unified combatant command reporting directly to the Secretary of Defense.  Its job is to defend the United States against cyberattacks from foreign powers.  The Securities and Exchange Commission (SEC) has also taken great interest in this area.  Public companies are required to report any material breaches of their critical information systems, analyzing the legal, financial and reputational consequences of such actions. There have even been proposals boards of directors of such companies must have a designated cyber expert just as it must have designated financial experts.

Somehow, the message about this threat has not filtered down to some governmental entities.  An amazing example of poor internal controls is unfolding in Baltimore, Maryland.  As this article is being written, the city’s information systems have been held hostage for the last nine days.  There doesn’t seem to be any end in sight to the problem either. The city’s email and critical billing and payment systems are at a standstill. Baltimore has been reduced to receiving checks as payment. One can only imagine the accounting nightmare this will cause after everything is sorted out.  The culprits are asking for ransom payments in bitcoin, a payment method notoriously difficult to trace.

What is even more amazing is the city suffered a previous cyberattack.  Chillingly, that attack disabled the 911 system over a weekend period, putting people’s lives in danger.  The city had to revert back to manual processing of 911 calls. One would have thought this would have been a clear warning.

Given there have been two successful cyberattacks on Baltimore, here are many internal control questions that need to be answered.  Among these are:

  1. Are there defects in the control environment? The control environment reflects the “tone from the top” of the organization.  How control conscious is the management of the entity?  Judging from the Comprehensive Annual Financial Report (CAFR) for the year ended June 30, 2018, not very when it comes to cyber security.  A search for the word “cyber” finds only one reference.  Another search for the phrase “information technology” finds only four, including the reference to the word “cyber”.  Various other permutations and combinations were tried to make sure any reference to this potential threat were uncovered.  To be fair, the complete sentence containing the word “cyber” talks about migration of data to the cloud in order to enhance cyber security.   Clearly, this action was not enough.
  2. What was the disaster recovery plan? Every organization needs a disaster recovery plan.  It is part of a good system of internal control. Apparently, this plan was either not effective or there may not have been one.  The CAFR says “data” is being migrated to the cloud.  What about the actual operating systems themselves?  Given key financial systems have been paralyzed for nine days already, a reasonable observer could conclude the provision for hardware and software emergencies in the disaster plan must have been inadequate or nonexistent.
  3. Do the personnel involved have the necessary skills and competence to maintain cyber security? That is a question that can’t be answered from afar, but it is worth noting the Director of Information Technology has a reported annual salary of $250,000.  Certainly, the city is not “cheaping out” on salary for responsible officials.
  4. Where were the independent auditors? While analyzing auditing standards and failures are outside of the scope of this article, certain judgments can be made about the financial reporting. The CAFR makes no mention of the first cyberattack.  People’s lives were in danger, and no mention of this or any corrective action is described?  This is information any reasonable person would be interested in and certainly should be part of the CAFR.  The audit opinion gives a clean bill of health on the system of internal control.  Is this a reasonable conclusion give the seriousness of the first attack?   On page xx, the CAFR contains a Certificate of Achievement for Excellence in Financial Reporting.  In the index, this is referred to as the “Certificate of Achievement for Excellent in Financial Reporting.”  Perhaps that is just one small indication of how little attention was paid to the adequacy of the CAFR.

In fairness, there were some mitigating circumstances that needs to be taken into account:

  1. The attention of key players could have been turned elsewhere. The mayor resigned on May 2, 2019, just days before this crisis hit. There were serious allegations concerning self-dealing over a self-published book used in the school systems and abuse of the city’s credit card by the mayor’s staff.  This is anecdotal evidence of a lack of control consciousness at the top of the organization. It appears the “tone from the top” was “tone deafness” when it came to all forms of internal control in Baltimore.
  2. A key player was missing. The City Auditor resigned in February 2019. She did not disclose why she resigned other than to protect her own integrity.  Had a City Auditor been in place, perhaps more attention would have been given to this issue. Nevertheless, her unqualified independent audit report of the 911 system issued in January 2019 also did not address the data security breach either.  (Incidentally, the City Auditor is paid by the city.  How she could have issued an audit report saying the 911 system accounting was in accordance with generally accepted accounting principles is somewhat mystifying due to a glaring lack of independence.)
  3. Accounting standards for cybersecurity government entities are not sufficient. The GASB needs to revisit the required disclosures for cybersecurity.  Perhaps they should take the lead from the SEC where disclosure of cybersecurity breaches needs to be reported if there is a material impact on operations, finances and reputation.  The CAFR is an outstanding vehicle to convey this information since a management discussion and analysis of the financial information presented is required.

Cyberattacks on cities and other governmental agencies are on the rise.  Is another catastrophe such as what happened in Baltimore required for responsible parties to take notice of this threat?

Sources: Consulted (All accessed May 17, 2019):

https://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-pugh-resigns-20190502-story.html.

https://www.baltimoresun.com/news/maryland/politics/bs-md-ci-credit-card-audit-20180926-story.html

https://comptroller.baltimorecity.gov/sites/default/files/Maryland%20911%20Audit%20Report%20Fiscal%20Year%20Ended%20June%2030,%202018.pdf

https://comptroller.baltimorecity.gov/sites/default/files/Maryland%20911%20Audit%20Report%20Fiscal%20Year%20Ended%20June%2030,%202018.pdf

https://www.journalofaccountancy.com/news/2018/feb/sec-cybersecurity-disclosures-201818424.html

https://wtop.com/baltimore/2019/05/8-days-after-cyberattack-baltimores-network-still-hobbled/