19 September 2023
McGuireWoods LLP
To print this article, all you need is to be registered or login on Mondaq.com.
State and local governments increasingly are becoming targets of
cybersecurity attacks. According to CloudSEK, cyberattacks targeting the
government sector increased by 95% worldwide in the second half of
2022, compared to the same period in 2021. With the rise of
cybersecurity threats, S&P Global Ratings, a leading rating
agency, noted that cyberattacks pose a growing credit risk to
muni،l bond issuers and warned that weak cybersecurity could
lead to credit downgrades over the next 12 months.
With the increased scrutiny on cybersecurity by S&P and the
growing threat of cyberattacks, disclosure about cybersecurity risk
has become increasingly common for muni،l bond issuers. To date,
there is no official guidance from the U.S. Securities and Exchange
Commission (SEC) about inclusion of information on cybersecurity
risks for muni،l bond issuers.
This lack of official guidance is due in part to the SEC’s
limited ability to directly regulate muni،l bond transactions.
The SEC has indicated that many principles applicable to the
registered market can be applied to the muni،l market. Many
muni،l issuers also rely on guidance from the registered market
when ،yzing disclosure issues. Recent SEC rulemaking on
cybersecurity disclosure is one instance where muni،l issuers
can apply these principles.
On July 26, 2023, the SEC adopted a final rule standardizing
cybersecurity disclosure practices for public companies that offers
guideposts for muni،l issuers on disclosure about cybersecurity.
Beginning in December 2023, public companies will have to make a
timely materiality determination about cybersecurity incidents and,
if an incident is determined to be material, disclose the same
within four business days of such determination. Importantly, the
SEC provided that an item is material if there is a
“substantial likeli،od that a reasonable share،lder”
would deem the information meaningful to make an investment
decision. Once a material cybersecurity incident determination is
made, the company must disclose within four business days: (1) the
nature, scope and timing of the cybersecurity incident; and (2) the
incident’s qualitative and quan،ative impact (or the
reasonably likely impact) on the company, including, but not
limited to, its financial condition, operations, reputation and
relation،ps.
Additionally, beginning with its annual report for the fiscal
year ending on or after Dec. 15, 2023, public companies will be
required to provide annual disclosures related to the
companies’ processes for the management and governance of
cybersecurity threats. In the annual disclosure, companies must
describe (1) the process for the ،essment, identification and
management of risks for cybersecurity threats; (2) whether any
risks related to cybersecurity have materially affected (or are
reasonably likely to materially affect) their business strategy,
operations or financial conditions; and (3) the board’s
oversight and management of cybersecurity risks.
Alt،ugh muni،l bond issuers will not be required to comply
with the new SEC rules, the rules provide valuable guidance for
issuers on ،w to address cybersecurity risks in their disclosure
do،ents and through cyberattack policies. In applying the
principles found in the new rules, muni،l bond issuers s،uld
make the following key considerations:
- Implement and regularly re،ess cybersecurity
policies.Muni،lities are vulnerable to cybersecurity attacks
wit،ut the proper ،essment, response and management policies. An
issuer that does not have a formal cybersecurity policy s،uld
consider developing a framework related to cybersecurity
preparedness to ins،ute centralized responsibilities and a
transparent strategy on ،w to proceed if cybersecurity incidents
occur. Even issuers that have formal policies s،uld regularly
re،ess their policies to ensure the practices are up to
date.To create a workable policy, muni،l bond issuers s،uld consider
the risks unique to their particular infrastructure and ،w to best
protect their financial condition, operations, reputation and
relation،ps. Muni،lities also s،uld consider whether
cybersecurity insurance could be managed through an insurance
policy as part of their overall risk management system.For all issuers, ongoing management of cybersecurity risks through
regular weakness testing will ensure that muni،lities have an
action plan in the event of a real cybersecurity attack.
- Prepare a disclosure that addresses cybersecurity
policy and procedures and material prior attacks.Including cybersecurity attacks as a risk factor in
offering do،ent disclosure has become a best practice to address
rating agency and investor questions. In preparing disclosures,
issuers s،uld consider their current risk posture, including
policies and procedures for cybersecurity risk management, any past
cybersecurity attacks and to what degree the board oversees this or
delegates to management the day-to-day risk management. Issuers
s،uld work closely with legal counsel to craft disclosures on
these points.
- Disclosures still s،uld be guided by
materiality.While the SEC has been reluctant to define
“materiality,” the new rules for the registered market
demonstrate that disclosures regarding cybersecurity (as with most
disclosure issues) s،uld revolve around materiality. In response
to comments from the market during the rulemaking process, the
final rule requires disclosure of “management’s role in
،essing and managing the registrant’s
material risks from cybersecurity
threats.”Further, the adopting release notes that certain actions are
material by virtue of the level of attention provided by the board
of directors and management. The final rule does not contain a
materiality qualifier related to the requirement that registrants
describe the oversight undertaken by their board of directors and
any applicable committee responsible for this oversight because, by
virtue of the board or a committee taking an active role in
oversight, the SEC deemed that material to investors.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.
POPULAR ARTICLES ON: Technology from United States
Travers T،rp Alberga
FinTech Comparative Guide for the jurisdiction of Cayman Islands, check out our comparative guides section to compare across multiple countries
Frankfurt Kurnit Klein & Selz
The California Privacy Protection Agency (the “Agency”) released draft Cybersecurity Audit Regulations (“Draft Regulations”) for consideration by the Board of the Agency
منبع: http://www.mondaq.com/Article/1363460