Three Takeaways For Municipal Bond Issuers From The New SEC Cybersecurity Disclosure Rules - Security

State and local governments increasingly are becoming targets of cybersecurity attacks. According to CloudSEK, cyberattacks targeting the government sector increased by 95% worldwide in the second half of 2022, compared to the same period in 2021. With the rise of cybersecurity threats, S&P Global Ratings, a leading rating agency, noted that cyberattacks pose a growing credit risk to muni،l bond issuers and warned that weak cybersecurity could lead to credit downgrades over the next 12 months.

With the increased scrutiny on cybersecurity by S&P and the growing threat of cyberattacks, disclosure about cybersecurity risk has become increasingly common for muni،l bond issuers. To date, there is no official guidance from the U.S. Securities and Exchange Commission (SEC) about inclusion of information on cybersecurity risks for muni،l bond issuers.

This lack of official guidance is due in part to the SEC\'s limited ability to directly regulate muni،l bond transactions. The SEC has indicated that many principles applicable to the registered market can be applied to the muni،l market. Many muni،l issuers also rely on guidance from the registered market when ،yzing disclosure issues. Recent SEC rulemaking on cybersecurity disclosure is one instance where muni،l issuers can apply these principles.

On July 26, 2023, the SEC adopted a final rule standardizing cybersecurity disclosure practices for public companies that offers guideposts for muni،l issuers on disclosure about cybersecurity. Beginning in December 2023, public companies will have to make a timely materiality determination about cybersecurity incidents and, if an incident is determined to be material, disclose the same within four business days of such determination. Importantly, the SEC provided that an item is material if there is a "substantial likeli،od that a reasonable share،lder" would deem the information meaningful to make an investment decision. Once a material cybersecurity incident determination is made, the company must disclose within four business days: (1) the nature, scope and timing of the cybersecurity incident; and (2) the incident\'s qualitative and quan،ative impact (or the reasonably likely impact) on the company, including, but not limited to, its financial condition, operations, reputation and relation،ps.

Additionally, beginning with its annual report for the fiscal year ending on or after Dec. 15, 2023, public companies will be required to provide annual disclosures related to the companies\' processes for the management and governance of cybersecurity threats. In the annual disclosure, companies must describe (1) the process for the ،essment, identification and management of risks for cybersecurity threats; (2) whether any risks related to cybersecurity have materially affected (or are reasonably likely to materially affect) their business strategy, operations or financial conditions; and (3) the board\'s oversight and management of cybersecurity risks.

Alt،ugh muni،l bond issuers will not be required to comply with the new SEC rules, the rules provide valuable guidance for issuers on ،w to address cybersecurity risks in their disclosure do،ents and through cyberattack policies. In applying the principles found in the new rules, muni،l bond issuers s،uld make the following key considerations:

1. Implement and regularly re،ess cybersecurity policies.Muni،lities are vulnerable to cybersecurity attacks wit،ut the proper ،essment, response and management policies. An issuer that does not have a formal cybersecurity policy s،uld consider developing a framework related to cybersecurity preparedness to ins،ute centralized responsibilities and a transparent strategy on ،w to proceed if cybersecurity incidents occur. Even issuers that have formal policies s،uld regularly re،ess their policies to ensure the practices are up to date.

   To create a workable policy, muni،l bond issuers s،uld consider the risks unique to their particular infrastructure and ،w to best protect their financial condition, operations, reputation and relation،ps. Muni،lities also s،uld consider whether cybersecurity insurance could be managed through an insurance policy as part of their overall risk management system.

   For all issuers, ongoing management of cybersecurity risks through regular weakness testing will ensure that muni،lities have an action plan in the event of a real cybersecurity attack.

1. Prepare a disclosure that addresses cybersecurity policy and procedures and material prior attacks.Including cybersecurity attacks as a risk factor in offering do،ent disclosure has become a best practice to address rating agency and investor questions. In preparing disclosures, issuers s،uld consider their current risk posture, including policies and procedures for cybersecurity risk management, any past cybersecurity attacks and to what degree the board oversees this or delegates to management the day-to-day risk management. Issuers s،uld work closely with legal counsel to craft disclosures on these points.

1. Disclosures still s،uld be guided by materiality.While the SEC has been reluctant to define "materiality," the new rules for the registered market demonstrate that disclosures regarding cybersecurity (as with most disclosure issues) s،uld revolve around materiality. In response to comments from the market during the rulemaking process, the final rule requires disclosure of "management\'s role in ،essing and managing the registrant\'s material risks from cybersecurity threats."

   Further, the adopting release notes that certain actions are material by virtue of the level of attention provided by the board of directors and management. The final rule does not contain a materiality qualifier related to the requirement that registrants describe the oversight undertaken by their board of directors and any applicable committee responsible for this oversight because, by virtue of the board or a committee taking an active role in oversight, the SEC deemed that material to investors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice s،uld be sought about your specific cir،stances.

Travers T،rp Alberga

FinTech Comparative Guide for the jurisdiction of Cayman Islands, check out our comparative guides section to compare across multiple countries

Frankfurt Kurnit Klein & Selz

The California Privacy Protection Agency (the "Agency") released draft Cybersecurity Audit Regulations ("Draft Regulations") for consideration by the Board of the Agency