Media coverage of the White Lake, Michigan, township hack has brought the need for cybersecurity disclosure to the forefront, with some market participants arguing the muni market needs to follow the corporate securities market and the U.S. Securities and Exchange Commission guidance.
The
However, other attempted financing hacks have occurred, though issuers and firms are reluctant to share their experiences publicly.
"I can see a situation where somebody would worry about disclosing [a cyberattack], but at the same time if you've got bonds out there, this is what your obligation is, evaluating whether it's material or not," said T.W. Bruno, a partner and transaction lawyer at McGuireWoods, a law firm headquartered in Richmond, Virginia.
Disclosing these incidents is essential — even if private companies or issuers are reluctant to do so — as it allows law enforcement to build their database, understand the trends and try to prevent this from happening in the future, said Jason Kravitz, a practice group leader who heads Nixon Peabody's cybersecurity and privacy team.
And more reported incidents will encourage companies, organizations and bond issuers to take the problem more seriously because of the negative implications: costs of dealing with these bad actors and potential litigation, problems financing future deals and ratings impact, he noted.
For example, Fitch Ratings, which is tracking a double-digit increase in the frequency of cyber crime in the muni sector, downgraded two ratings in the past year following cyber incidents, Omid Rahmani, associate director and public finance cybersecurity lead at the rating agency, said at the recent Bond Dealers of America conference in Chicago.
The credits downgraded were
"In both situations, the recovery phase of the cyber incident contributed to the rating action," Rahmani told The Bond Buyer, underscoring that from a credit profile standpoint, it's ultimately about how fast you recover.
"As a public finance banker, you can look at it from two sides," Beth Coolidge, managing director and head of public finance at Oppenheimer, said at the BDA conference, one side being disclosure and the other involving stronger vigilance by issuers. "There are no guidelines for our industry. … It's the investor community and the rating agencies that typically force the issue."
"I kind of look at where we're sitting right now on cybersecurity as [being like] the pension issue years ago, where nobody was really disclosing it, nobody was really talking much about it," she said. "I think we're at an inflection point right now, especially with the SEC coming out with very specific rules for the corporate securities market around disclosure. We should start, as an industry, thinking about how we organize ourselves around that, as well."
Currently, there are no official guidelines from the SEC for munis about disclosing cybersecurity risks or attacks, but "we tend to look at what's happening in the corporate market for ideas about what we should be doing and what we shouldn't be doing," said Anna C. Horevay, a lawyer and public finance partner at McGuireWoods.
This lack of official guidance is partly due to the SEC's limited ability to regulate municipal bond transactions directly, Horevay and Bruno noted in a
Therefore, more formal disclosures would most likely come from elsewhere, potentially including legislation and guidance from Congress and the other regulatory agencies, Kravitz said.
And as for groups like the Municipal Securities Rulemaking Board, "the regulators are starting to look at this problem and they're starting to gather data about the problem and about how the problem is being handled," said Rahmani.
Despite the current lack of disclosure requirements, "the SEC has indicated that many principles applicable to the registered market can be applied to the municipal market," Horevay and Bruno said. "Many municipal issuers also rely on guidance from the registered market when analyzing disclosure issues."
The SEC adopted a rule in July 2023 to standardize cybersecurity disclosure practices for public companies, which are now required to report materially determined cybersecurity incidents within four days.
While muni issuers are not required to comply with SEC rules, the rules offer assistance in addressing cybersecurity risks in their disclosure documents and through cyberattack policies, according to Horevay and Bruno.
When applying these rules, issuers should consider factors including implementing and regularly reassessing cybersecurity policies, they noted.
To create a "workable policy," issuers should consider the risks to their infrastructure and how to best protect themselves, they said, noting cybersecurity insurance should also be considered.
However, cyber insurance, while important, is "not the way to solve your problem," Rahmani told the audience at the Chicago conference. For one thing, people are often underinsured, and for another, the insurance companies "are going to come up with all kinds of ways to protect themselves."
"Cyber insurance has really matured," Rahmani said. "The insurance companies are doing stricter audits of the people that they're insuring. And they have a lot of outs now. So if you're not performing to at least industry standards, they won't pay the policy."
He noted that two years ago Lloyd's of London — an insurance community leader on regulation — decided to no longer honor cyber insurance policies if it could connect the attack to a nation-state actor.
"The problem with that is, a lot of the groups that target this community are nation-state or quasi-nation-state actors," Rahmani told the conference. "Even if they're criminal organizations, they're ones that have support from the nation-state. That can be a problem if you're relying on your cyber insurance."
Other considerations for muni issuers include preparing a disclosure that addresses cybersecurity policy and procedures and material prior attacks and that is guided by materiality, according to McGuireWoods' lawyers.
For the former, disclosing cyberattacks has become a "best practice" to address questions from investors and rating agencies, they said.
And for the latter, cybersecurity incidents should be disclosed if they are "material," or determined to be "a substantial likelihood that a reasonable investor would consider it important in making an investment decision or whether it would significantly alter the total mix of information made available," McGuireWoods lawyers, including Horevay and Bruno, said in a
Disclosing these cyberattacks to consumers, "whether those are individuals, investors or companies, gives them the information they need to make informed decisions ... knowing full well that the issuer has spent however much on cyber insurance to protect against these types of unfortunate events," Kravitz said.
As cyber security becomes more prevalent with additional attacks, disclosure is here to stay.
"We're going to continue to see this type of disclosure in offering documents moving forward," Horevay said. "I don't see it going away as we are moving into a more and more technologically based society, and these attacks are becoming more and more prevalent."
Issuers have to fend off inside and outside attacks, so "the more reliant we are on having these technological-based systems or revenue collection, the more it becomes important to make sure that there's defenses in place against attacks," she noted.
