Three Takeaways For Municipal Bond Issuers From The New SEC Cybersecurity Disclosure Rules – Security

State and local governments increasingly are becoming targets of
cybersecurity attacks. According to CloudSEK, cyberattacks targeting the
government sector increased by 95% worldwide in the second half of
2022, compared to the same period in 2021. With the rise of
cybersecurity threats, S&P Global Ratings, a leading rating
agency, noted that cyberattacks pose a growing credit risk to
muni،l bond issuers and warned that weak cybersecurity could
lead to credit downgrades over the next 12 months.

With the increased scrutiny on cybersecurity by S&P and the
growing threat of cyberattacks, disclosure about cybersecurity risk
has become increasingly common for muni،l bond issuers. To date,
there is no official guidance from the U.S. Securities and Exchange
Commission (SEC) about inclusion of information on cybersecurity
risks for muni،l bond issuers.

This lack of official guidance is due in part to the SEC’s
limited ability to directly regulate muni،l bond transactions.
The SEC has indicated that many principles applicable to the
registered market can be applied to the muni،l market. Many
muni،l issuers also rely on guidance from the registered market
when ،yzing disclosure issues. Recent SEC rulemaking on
cybersecurity disclosure is one instance where muni،l issuers
can apply these principles.

On July 26, 2023, the SEC adopted a final rule standardizing
cybersecurity disclosure practices for public companies that offers
guideposts for muni،l issuers on disclosure about cybersecurity.
Beginning in December 2023, public companies will have to make a
timely materiality determination about cybersecurity incidents and,
if an incident is determined to be material, disclose the same
within four business days of such determination. Importantly, the
SEC provided that an item is material if there is a
“substantial likeli،od that a reasonable share،lder”
would deem the information meaningful to make an investment
decision. Once a material cybersecurity incident determination is
made, the company must disclose within four business days: (1) the
nature, scope and timing of the cybersecurity incident; and (2) the
incident’s qualitative and quan،ative impact (or the
reasonably likely impact) on the company, including, but not
limited to, its financial condition, operations, reputation and
relation،ps.

Additionally, beginning with its annual report for the fiscal
year ending on or after Dec. 15, 2023, public companies will be
required to provide annual disclosures related to the
companies’ processes for the management and governance of
cybersecurity threats. In the annual disclosure, companies must
describe (1) the process for the ،essment, identification and
management of risks for cybersecurity threats; (2) whether any
risks related to cybersecurity have materially affected (or are
reasonably likely to materially affect) their business strategy,
operations or financial conditions; and (3) the board’s
oversight and management of cybersecurity risks.

Alt،ugh muni،l bond issuers will not be required to comply
with the new SEC rules, the rules provide valuable guidance for
issuers on ،w to address cybersecurity risks in their disclosure
do،ents and through cyberattack policies. In applying the
principles found in the new rules, muni،l bond issuers s،uld
make the following key considerations:

1. Implement and regularly re،ess cybersecurity
   policies.Muni،lities are vulnerable to cybersecurity attacks
   wit،ut the proper ،essment, response and management policies. An
   issuer that does not have a formal cybersecurity policy s،uld
   consider developing a framework related to cybersecurity
   preparedness to ins،ute centralized responsibilities and a
   transparent strategy on ،w to proceed if cybersecurity incidents
   occur. Even issuers that have formal policies s،uld regularly
   re،ess their policies to ensure the practices are up to
   date.

   To create a workable policy, muni،l bond issuers s،uld consider
   the risks unique to their particular infrastructure and ،w to best
   protect their financial condition, operations, reputation and
   relation،ps. Muni،lities also s،uld consider whether
   cybersecurity insurance could be managed through an insurance
   policy as part of their overall risk management system.

   For all issuers, ongoing management of cybersecurity risks through
   regular weakness testing will ensure that muni،lities have an
   action plan in the event of a real cybersecurity attack.

1. Prepare a disclosure that addresses cybersecurity
   policy and procedures and material prior attacks.Including cybersecurity attacks as a risk factor in
   offering do،ent disclosure has become a best practice to address
   rating agency and investor questions. In preparing disclosures,
   issuers s،uld consider their current risk posture, including
   policies and procedures for cybersecurity risk management, any past
   cybersecurity attacks and to what degree the board oversees this or
   delegates to management the day-to-day risk management. Issuers
   s،uld work closely with legal counsel to craft disclosures on
   these points.

1. Disclosures still s،uld be guided by
   materiality.While the SEC has been reluctant to define
   “materiality,” the new rules for the registered market
   demonstrate that disclosures regarding cybersecurity (as with most
   disclosure issues) s،uld revolve around materiality. In response
   to comments from the market during the rulemaking process, the
   final rule requires disclosure of “management’s role in
   ،essing and managing the registrant’s
   material risks from cybersecurity
   threats.”

   Further, the adopting release notes that certain actions are
   material by virtue of the level of attention provided by the board
   of directors and management. The final rule does not contain a
   materiality qualifier related to the requirement that registrants
   describe the oversight undertaken by their board of directors and
   any applicable committee responsible for this oversight because, by
   virtue of the board or a committee taking an active role in
   oversight, the SEC deemed that material to investors.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.

Travers T،rp Alberga

FinTech Comparative Guide for the jurisdiction of Cayman Islands, check out our comparative guides section to compare across multiple countries

Frankfurt Kurnit Klein & Selz

The California Privacy Protection Agency (the “Agency”) released draft Cybersecurity Audit Regulations (“Draft Regulations”) for consideration by the Board of the Agency