Cybersecurity Disclosure for Municipal Bond Issuers

In an age where cyber threats loom large, municipal entities and 501(c)(3) organizations face escalating risks of sophisticated cyberattacks. These attacks not only pose severe disruptions but also entail significant financial implications. Addressing the aftermath of such incidents demands valuable time and resources, impacting operational efficiency and incurring substantial liabilities. Moreover, credit rating agencies highlight the credit risk cyberattacks impose on municipal bond issuers, potentially leading to a downgrade in credit ratings and heightened borrowing costs.

Disclosure Regulations and Their Implications

On July 26, 2023, the Securities and Exchange Commission (SEC) announced the final rules requiring public companies to divulge material cybersecurity incidents. Additionally, these companies must annually disclose crucial information regarding their cybersecurity risk management, strategy, and governance. While these regulations directly apply to public companies under the Securities Exchange Act of 1934, the SEC encourages municipal markets to adopt similar disclosure requirements. Consequently, these rules provide invaluable guidance to municipal issuers and 501(c)(3) organizations on cybersecurity disclosure practices, offering insights into formulating robust policies and strategies against cyber threats.

Key Disclosure Requirements

The specific requirements for public companies regarding cybersecurity disclosures under the new SEC rules include the following:

  1. Regulation S-K Item 106(b) – Risk management and strategy:

    • Describe processes for the assessment, identification, and management of material risks from cybersecurity threats.
    • Describe whether any cybersecurity threats have materially affected or are reasonably likely to materially affect business strategy, results of operations, or financial condition.
  2. Regulation S-K Item 106(c) – Governance:

    • Describe the board’s oversight of risks from cybersecurity threats.
    • Describe management’s role in assessing and managing material risks from cybersecurity threats.
  3. Form 8-K Item 1.05 – Disclosure of Material Cybersecurity Incidents:

    • Disclose any cybersecurity incident determined to be material, including its nature, scope, timing, and impact or reasonably likely impact.
    • File an Item 1.05 Form 8-K within four business days of determining a material incident.
    • Amend a prior Item 1.05 Form 8-K to disclose any additional information that was not available at the time of the initial filing.
  4. Form 20-F and Form 6-K for Foreign Private Issuers (FPIs):

    • FPIs must describe the board’s oversight of risks from cybersecurity threats.
    • FPIs must describe management’s role in assessing and managing material risks from cybersecurity threats.

These requirements aim to enhance transparency and provide investors with more comprehensive information about the impact of cybersecurity threats on public companies.

Disclosure of Material Cybersecurity Incidents

Effective from December 18, 2023, public companies are mandated to promptly disclose any material cybersecurity incidents and elucidate their significant aspects, encompassing the incident’s nature, scope, timing, and its impact on the company’s financial status and operations. A broad definition of “cybersecurity incident” underscores the comprehensive nature of these disclosures.


Annual Disclosure Obligations

Starting with their annual reports for fiscal years ending on or after December 15, 2023, public companies must provide detailed disclosures concerning their cybersecurity risk management processes. This includes assessments of material risks, the board of directors’ oversight, management’s roles, and integration of cybersecurity processes into the overall risk management framework.

Guidance for Municipal Market Participants

Though not bound by these regulations, municipal market participants can leverage them for insightful guidance. The rules offer a structured framework for drafting cybersecurity risk disclosures in offering documents and formulating effective policies and procedures to counter cyber threats, thereby fortifying the resilience of municipal bonds. In addition, tools like MuniProfile can help issuers track their cybersecurity score and improve transparency for investors as needed. 

Conclusion

In an era where cyber threats loom large, robust cybersecurity disclosures are imperative for safeguarding municipal bonds and mitigating potential risks. By adhering to regulatory guidelines and implementing proactive measures, municipal entities and 501(c)(3) organizations can enhance their resilience against evolving cyber threats, ensuring the integrity and stability of their financial operations in the digital age.

By adhering to these guidelines, municipal entities can effectively navigate the complexities of cyber threats, fortify investor confidence, and uphold the integrity of the municipal bond market.