Ensuring Transparency and Disclosure: Navigating Cybersecurity Risks in the Municipal Bond Market
I recently had the honor of being selected to participate in a panel discussion on assessing, mitigating, and disclosing cybersecurity risks in the municipal bond market. The panel was hosted by The California Debt and Investment Advisory Commission and included my good friend Omid Rahmani, as well as Joseph Santiesteban and Sean Yates, both from Orrick, Herrington, & Sutcliffe LLP. The discussion centered around municipal market disclosure fundamentals and evolving practices, and we delved into some of the key issues surrounding cybersecurity in the municipal bond market. In this blog post, I'll be sharing some of the insights and takeaways from the panel discussion.
As the panel discussion highlighted, cyber incidents can have a material impact on any organization's financials. The consequences of a cyber-attack can range from reputational damage to operational disruptions, which can ultimately result in financial losses. In response to the increasing threat of cyber-attacks, the Securities and Exchange Commission (SEC) has introduced rules that require companies to disclose their cybersecurity risks and incidents. The aim of these rulings is to ensure that top management and boards take responsibility for performing their governance duties when it comes to enterprise risk management, particularly when it comes to cyber risks. By disclosing these risks, organizations can provide investors with greater transparency and help them make more informed decisions.
The SEC's proposed cybersecurity disclosure requirements, announced in March 2022, are designed to provide context and guidance for the municipal market. These proposed rules apply to public companies and aim to better inform investors about a company's risk management, strategy, and governance, as well as provide timely notification of material cybersecurity incidents. In addition, the proposed rules seek to create consistent, comparable, and decision-useful disclosures for both risk management and incident notification. By implementing these guidelines, the SEC hopes to encourage companies to improve their cybersecurity practices and provide investors with greater transparency and insight into a company's cyber risks and how they are being managed.
During the panel discussion, we discussed the two categories of reporting when it comes to the SEC's proposed cybersecurity disclosure requirements: periodic disclosure and incident reporting. Periodic disclosure involves providing investors with regular updates on a company's cybersecurity risks and how they are being managed, while incident reporting requires companies to disclose material cybersecurity incidents in a timely manner. By having these two categories of reporting, the SEC aims to create a more comprehensive and transparent system for disclosing cybersecurity risks and incidents, allowing investors to make more informed decisions.
Periodic Disclosure
Under the SEC's proposed cybersecurity disclosure requirements, public companies would be required to disclose their cybersecurity policies and procedures as part of their periodic disclosure. In addition, the proposed rules would require detailed disclosures describing board-level governance, including how the board learns about and discusses cybersecurity issues, whether the board evaluates risks as part of business strategy, risk management and financial oversight, and which directors have cybersecurity credentials. Companies would also be required to disclose their cybersecurity management processes, including whether they have a chief information security officer (CISO) and their credentials, and whether they work with any consultants, auditors or other third parties to help assess cybersecurity risks.
The proposed rules indicate that municipal market participants should review and bolster their cybersecurity policies and disclosure policies, consider any privacy or security incidents involving confidential or personal data and whether they were disclosed to the market, evaluate their procedures for periodic risk assessments internally and with third parties, collect information on cybersecurity expertise of the governing board and key staff members, evaluate current cybersecurity insurance coverage and develop disclosures relating to updated cybersecurity policies and procedures.
The goal of the proposed rules is to create forms that can be used to update and adapt quarterly and annual reports and offering documents. By implementing these guidelines, the SEC aims to improve transparency and consistency in the way that companies report their cybersecurity risks and incidents, and provide investors with a more complete picture of a company's cybersecurity posture.
Incident Reporting
Under the SEC's proposed rules, public companies would be required to disclose any material cybersecurity incidents within four business days from the materiality determination. The rules extend to compromises of the company’s “information system,” including systems owned or used by the company and third-party service providers. There are no exceptions for delayed reporting for law enforcement or national security reasons. Companies would also be required to provide periodic updates reflecting material changes or additions to previously disclosed incidents, including remediation efforts. The proposed rules also require companies to disclose cybersecurity incidents that only become material if aggregated.
To comply with these proposed rules, municipal market participants should revisit and test their incident response plans. They should also consider whether their cybersecurity policies and procedures require employees to quickly escalate cybersecurity incidents to those empowered to make materiality and disclosure determinations. Participants should also examine whether contracts with third parties comprising the “information system” provide for incident reporting and cooperation necessary to make materiality and disclosure determinations regarding third-party cybersecurity incidents. Finally, participants should discuss with bond or disclosure counsel the implications of any cybersecurity incidents and possible voluntary disclosures.
By implementing these guidelines, the SEC aims to ensure that investors receive timely and comprehensive disclosures regarding material cybersecurity incidents, allowing them to make informed decisions when investing in public companies. As the rules are proposed, municipal market participants should review their current policies and procedures to ensure that they can comply with the SEC's disclosure requirements in a timely and effective manner.
Governance of Information and Technology
During the panel discussion, I had the opportunity to share my expertise on the governance of information and technology and its relation to the SEC's proposed rules. I emphasized that governance is a responsibility of the city council or board, not just IT's responsibility. I also discussed the 5 principles of cyber risk oversight, which include ensuring that cyber risks are viewed as enterprise risks. We also addressed some questions regarding the separation of IT and cybersecurity functions and the importance of having cybersecurity expertise or a CISO for local governments. It was a great discussion that highlighted the need for proper governance and risk management in the context of cybersecurity.
Bond Rating
During the panel discussion, we delved into the topic of bond rating and its relationship to cybersecurity risk management. We noted that some corporations have experienced a negative impact on their bond rating due to poor risk management practices. This is because the bond rating agencies evaluate the creditworthiness of organizations, and management's ability to monitor and mitigate risks is a critical factor in their rating calculations. Although no local government has yet experienced a negative credit rating as a result of a cyber incident, it has been publicly expressed that management involvement in cyber risk is factored into bond rating assessments. Therefore, it is essential for local governments to recognize the asymmetrical risk that cybersecurity poses and adopt effective governance frameworks to ensure their long-term financial health.
Indeed, while the SEC's proposed rules for cybersecurity disclosures are not mandatory for local governments, it is essential for these entities to take them seriously as they can have a significant impact on their financial health. As we discussed in the panel, bond rating agencies are considering the governance of cyber risks as part of their criteria for rating bonds. Any mismanagement of cyber risks can have negative effects on the organization's credit rating and potentially lead to higher borrowing costs. Therefore, it is crucial for local governments to review their cybersecurity policies and procedures and ensure they have adequate measures in place to mitigate cyber risks. Taking these steps can help local governments maintain their financial stability and reputation in the eyes of the bond rating agencies and investors.
My Thoughts on the SEC Ruling
The SEC ruling requiring public companies to disclose material cybersecurity incidents within four business days from the materiality determination is a step in the right direction. However, local governments should not be excluded from these same requirements. Investors in municipal bonds face the same risks as those investing in publicly traded companies, and mismanagement of cyber risks can have a significant impact on the financial health of a local government. Bond ratings are starting to reflect this, with negative credit ratings being given to organizations that fail to take cyber risks seriously. While the SEC ruling is not currently a requirement for local governments, it should be viewed as best practice guidelines. Waiting for regulations to become requirements is not an ethical or responsible approach to managing public funds. As investors and taxpayers, we want to see our money being used wisely and proactively mitigating cyber risks is one way to achieve that.
Note
Feedback from attendees: "On a scale of 1-5, the Day 2 attendees really liked your interactions with them and found you extremely knowledgeable with excellent content and delivery style, for an average score of 4.92, which was the highest score received by any speaker for Day 2."
Update
Updated 8 APR 2023
Resources
This is a new potential cost and risk related to disclosing misleading information about a data breach or ransomware attack. Blackbaud to Pay $3M for Misleading Ransomware Attack Disclosure. To settle the SEC's charges (but without confirming or denying the SEC's findings), Blackbaud has agreed to pay a $3 million civil penalty for failing to disclose the full scope of the cyber-attack. "Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so." David Hirsch, the head of the SEC Enforcement Division's Crypto Assets and Cyber Unit. https://www.bleepingcomputer.com/news/security/blackbaud-to-pay-3m-for-misleading-ransomware-attack-disclosure/
The Securities and Exchange Commission found in recent examinations that some advisors had inadequate compliance policies and procedures, according to a risk alert released Monday. For instance, advisors used off-the-shelf compliance programs that were not tailored to their businesses or risks, or they outsourced compliance functions without assessing how third parties were performing them. They also allocated too few resources to compliance. https://www.investmentnews.com/sec-faults-new-advisors-for-compliance-shortcomings-235657
Moody’s Corp. said the incident was “credit negative” for AT&T because it could negatively impact customer behavior, attract regulatory scrutiny or cause churn to spike. “Cyber incidents in the telecoms industry appear to be rising, raising questions about the industry’s cyber risk governance and defenses, as well as the overall exposure profile. The AT&T breach, stemming from a hack against a marketing vendor, further highlights the multitude of exposure lanes for cyberattacks,” Neil Begley, senior vice president for Moody’s Investors Service, said in a statement. - Wall Street Journal
The cyberattack on Suffolk County, NY (A-/Stable) highlights increased risks to U.S. state and local governments as such attacks become more common, according to Fitch Ratings. Under Fitch's U.S. Tax-Supported Rating Criteria, management quality, including its capacity to manage the impacts of cyberattacks, could be considered an asymmetric risk factor that would negatively affect the county's credit rating. https://www.fitchratings.com/research/us-public-finance/suffolk-county-ny-cyberattack-highlights-growing-risks-to-state-local-governments-05-10-2022
Comments