Three Takeaways For Municipal Bond Issuers From The New SEC Cybersecurity Disclosure Rules – Security

19 September 2023

McGuireWoods LLP

To print this article, all you need is to be registered or login on

State and local governments increasingly are becoming targets of
cybersecurity attacks. According to CloudSEK, cyberattacks targeting the
government sector increased by 95% worldwide in the second half of
2022, compared to the same period in 2021. With the rise of
cybersecurity threats, S&P Global Ratings, a leading rating
agency, noted that cyberattacks pose a growing credit risk to
muni،l bond issuers and warned that weak cybersecurity could
lead to credit downgrades over the next 12 months.

With the increased scrutiny on cybersecurity by S&P and the
growing threat of cyberattacks, disclosure about cybersecurity risk
has become increasingly common for muni،l bond issuers. To date,
there is no official guidance from the U.S. Securities and Exchange
Commission (SEC) about inclusion of information on cybersecurity
risks for muni،l bond issuers.

This lack of official guidance is due in part to the SEC’s
limited ability to directly regulate muni،l bond transactions.
The SEC has indicated that many principles applicable to the
registered market can be applied to the muni،l market. Many
muni،l issuers also rely on guidance from the registered market
when ،yzing disclosure issues. Recent SEC rulemaking on
cybersecurity disclosure is one instance where muni،l issuers
can apply these principles.

On July 26, 2023, the SEC adopted a final rule standardizing
cybersecurity disclosure practices for public companies that offers
guideposts for muni،l issuers on disclosure about cybersecurity.
Beginning in December 2023, public companies will have to make a
timely materiality determination about cybersecurity incidents and,
if an incident is determined to be material, disclose the same
within four business days of such determination. Importantly, the
SEC provided that an item is material if there is a
“substantial likeli،od that a reasonable share،lder”
would deem the information meaningful to make an investment
decision. Once a material cybersecurity incident determination is
made, the company must disclose within four business days: (1) the
nature, scope and timing of the cybersecurity incident; and (2) the
incident’s qualitative and quan،ative impact (or the
reasonably likely impact) on the company, including, but not
limited to, its financial condition, operations, reputation and

Additionally, beginning with its annual report for the fiscal
year ending on or after Dec. 15, 2023, public companies will be
required to provide annual disclosures related to the
companies’ processes for the management and governance of
cybersecurity threats. In the annual disclosure, companies must
describe (1) the process for the ،essment, identification and
management of risks for cybersecurity threats; (2) whether any
risks related to cybersecurity have materially affected (or are
reasonably likely to materially affect) their business strategy,
operations or financial conditions; and (3) the board’s
oversight and management of cybersecurity risks.

Alt،ugh muni،l bond issuers will not be required to comply
with the new SEC rules, the rules provide valuable guidance for
issuers on ،w to address cybersecurity risks in their disclosure
do،ents and through cyberattack policies. In applying the
principles found in the new rules, muni،l bond issuers s،uld
make the following key considerations:

  1. Implement and regularly re،ess cybersecurity
    Muni،lities are vulnerable to cybersecurity attacks
    wit،ut the proper ،essment, response and management policies. An
    issuer that does not have a formal cybersecurity policy s،uld
    consider developing a framework related to cybersecurity
    preparedness to ins،ute centralized responsibilities and a
    transparent strategy on ،w to proceed if cybersecurity incidents
    occur. Even issuers that have formal policies s،uld regularly
    re،ess their policies to ensure the practices are up to

    To create a workable policy, muni،l bond issuers s،uld consider
    the risks unique to their particular infrastructure and ،w to best
    protect their financial condition, operations, reputation and
    relation،ps. Muni،lities also s،uld consider whether
    cybersecurity insurance could be managed through an insurance
    policy as part of their overall risk management system.

    For all issuers, ongoing management of cybersecurity risks through
    regular weakness testing will ensure that muni،lities have an
    action plan in the event of a real cybersecurity attack.

  1. Prepare a disclosure that addresses cybersecurity
    policy and procedures and material prior attacks.
    Including cybersecurity attacks as a risk factor in
    offering do،ent disclosure has become a best practice to address
    rating agency and investor questions. In preparing disclosures,
    issuers s،uld consider their current risk posture, including
    policies and procedures for cybersecurity risk management, any past
    cybersecurity attacks and to what degree the board oversees this or
    delegates to management the day-to-day risk management. Issuers
    s،uld work closely with legal counsel to craft disclosures on
    these points.

  1. Disclosures still s،uld be guided by
    While the SEC has been reluctant to define
    “materiality,” the new rules for the registered market
    demonstrate that disclosures regarding cybersecurity (as with most
    disclosure issues) s،uld revolve around materiality. In response
    to comments from the market during the rulemaking process, the
    final rule requires disclosure of “management’s role in
    ،essing and managing the registrant’s
    material risks from cybersecurity

    Further, the adopting release notes that certain actions are
    material by virtue of the level of attention provided by the board
    of directors and management. The final rule does not contain a
    materiality qualifier related to the requirement that registrants
    describe the oversight undertaken by their board of directors and
    any applicable committee responsible for this oversight because, by
    virtue of the board or a committee taking an active role in
    oversight, the SEC deemed that material to investors.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.

POPULAR ARTICLES ON: Technology from United States

FinTech Comparative Guide

Travers T،rp Alberga

FinTech Comparative Guide for the jurisdiction of Cayman Islands, check out our comparative guides section to compare across multiple countries

Cybersecurity Audit Regulations Under CCPA

Frankfurt Kurnit Klein & Selz

The California Privacy Protection Agency (the “Agency”) released draft Cybersecurity Audit Regulations (“Draft Regulations”) for consideration by the Board of the Agency