Tackling Cybersecurity Disclosure

Scroll down

While cybersecurity disclosure has become an increasing focus in the municipal securities market, many market participants struggle to understand what effective cybersecurity disclosure looks like. Oftentimes cybersecurity disclosure is overly generic and provides investors with no information that they do not already have. In this article, we discuss the recent United States Securities and Exchange Commission (the “SEC”) proposed rules that would overhaul the cybersecurity disclosure regime in the corporate securities market to develop principles that the municipal securities market can use to prepare meaningful cybersecurity disclosure.

This series will also include discussions with trading platforms, technology firms vendors and consultants, in addition to sale side dealers and focus on the many challenges and opportunities that tech is providing to overall bond market structure. Now on to Bonding Time.

In today’s digitally connected world, cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants. Cybersecurity risks have increased for a variety of reasons, including the digitalization of registrants’ operations; the prevalence of remote work, which has become even more widespread because of the COVID-19 pandemic; the ability of cybercriminals to monetize cybersecurity incidents, such as through ransomware, black markets for stolen data, and the use of crypto-assets for such transactions; the growth of digital payments; and increasing company reliance on third-party service providers for information technology services, including cloud computing technology. In particular, cybersecurity incidents involving third-party service provider vulnerabilities are becoming more frequent.

In response to these concerns, on March 9, 2022, the SEC proposed significant changes to the corporate securities disclosure rules that would require corporate issuers of stock and debt securities to make new disclosures concerning cybersecurity risks and incidents. The SEC’s proposed rules would require two new kinds of cybersecurity disclosures. First, public companies would be required to disclose any material cybersecurity incident within four business days after it determines that it has experienced such an incident. Second, public companies would be required to include new categories of information in their periodic disclosures, including (1) a description of their policies and procedures to identify and manage cybersecurity risks, (2) management’s role in implementing cybersecurity policies and procedures, and (3) board of director’s cybersecurity expertise and oversight of cybersecurity risk.

To be clear, the proposed rules do not apply to the municipal securities market but the SEC’s proposed rules for public companies are helpful for us in the municipal securities market because they provide current guidance from the SEC concerning what it views as effective cybersecurity disclosure. Public companies have the same difficulties that municipal securities market participants do: How do we figure out what we are supposed to disclose so that investors understand the cybersecurity risks that are a concern for our particular organization? The SEC has in essence undertaken an effort to sort through what it thinks is merely operational detail that does not concern investors and what represents key material facts that shape investment decisions of investors. In that sense, we can learn a lot from what the SEC has done in this recent release.

How should we approach cybersecurity disclosure in the municipal securities market?

Based on the SEC’s proposed rules and from our experience with crafting cybersecurity disclosure in the municipal securities market, we believe that effective cybersecurity disclosure follows the principles that help to ensure that it remains effective, meaningful disclosure.

Focus on what the investor needs to know

Much of the SEC’s efforts in the proposed rules is to focus public companies on information that investors need to know in order to make informed investment decisions. A good example of this is the SEC’s guidance regarding what constitutes a material cybersecurity incident —public companies will be required to report the occurrence of a material cybersecurity incident in four business days if the proposed rules become final. The SEC stated:

The following is a non-exclusive list of examples of cybersecurity incidents that may, if determined by the registrant to be material, trigger the proposed… disclosure requirement:

• An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;

• An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;

• An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;

• An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or

• An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

Taken as a whole, we read this non-exhaustive list as an effort by the SEC to move public companies away from generic cybersecurity disclosure and toward disclosing the kind of incidents and information about them that may actually impair the value of a public company’s securities. The common denominator among these examples is that they represent some incident that goes to the integrity of the operating systems or has caused the public company loss such that an investor needs to be able to factor that event into its overall understanding of the public company’s financial and operating condition. In other words, the incident was not something in the “weeds” of the public company’s operations but something that can go to the heart of the operational integrity of the public company or has caused a significant loss.

We think that this can easily be applied to the municipal securities market. In our experience, sometimes cybersecurity disclosure cannot become overly generic instead of focused on how cybersecurity incidents or vulnerabilities can affect the business or operation of the issuer. As with all other disclosure, the most important part of any effective cybersecurity disclosure is to be able to connect facts concerning cybersecurity risks to how that informs an investor’s investment decision. The SEC’s commentary focuses on how cybersecurity risks and vulnerabilities can impact investors either because they pose a potential risk to operations or pose a potential risk for major loss.

Due diligence is as important as disclosure As with any area of disclosure, making sure those who are crafting the cybersecurity disclosure are aware of all of the significant facts that may need to be considered is crucial and thorough; targeted due diligence can help to frame what is ultimately disclosed. Some of the key questions that should be asked are:

-Who or what department is the expert on the cybersecurity risks and vulnerabilities facing the issuer or borrower? -Does the issuer or borrower have a known vulnerability that can rise to the level of impacting an investment decision by an investor? -Has there been a major cybersecurity incident that may call into question the integrity of the operating systems of the issuer or the borrower?

In some instances, we have been surprised that through due diligence we are able to understand the cybersecurity risk profile of an issuer or borrower pretty well. In some instances, for example, the issuer could eliminate the vast majority of its operational risks to cybersecurity by eliminating the ability to access the systems through remote access. In other situations, the issuer had addressed its vulnerabilities through technology investments. Accordingly, asking the right probing questions usually elicits the key facts and the cybersecurity disclosure somewhat takes care of itself once the key facts are known.

What does management know and what does management plan to do? In the proposed rules, the SEC focuses as much on risk management, strategy, and governance as it does on incidents. The SEC stated that “[s]taff in the Division of Corporation Finance has observed that most of the registrants that disclosed a cybersecurity incident in 2021 did not describe their cybersecurity risk oversight and related policies and procedures.” The SEC stated that it believes that this information benefits investors for two reasons. First, disclosure about a cybersecurity risk assessment program and related activities designed to prevent, detect, and minimize effects of cybersecurity incidents can improve an investor’s understanding of the company’s risk profile. Second, cybersecurity risks can affect different businesses differently and accordingly can impact the business strategy of the company. The SEC cited examples of how cybersecurity risks can impact business strategy. A company that knows it relies on collecting and safeguarding sensitive and personally identifiable information from its customers may need to raise capital to improve its technological ability to protect that information. Also, a company may develop a business model that avoids collecting this information. In each case, these “strategic decisions have implications for the company’s financial planning and future financial performance.” Thus, in short, the SEC believes that disclosure concerning how management of a company perceives a cybersecurity risk and what the company plans on doing about that risk are important disclosures to investors that form a critical part of the cybersecurity profile of the company.

We do not believe that this emphasis by the SEC is new. Cybersecurity disclosure is one of many topics where the risks to investors is somewhat uncertain and ill-defined. In that sense, it is like climate change disclosure and even like the risks that issuers and borrowers faced with the economic challenges brought on by the COVID-19 pandemic. In circumstances like these where the issuer or borrower really does not have much it can tell investors, the key is to focus on what management knows and what it is planning to do. That helps investors for two reasons. First, management is closest to the facts and investors want to know how management is reacting to these uncertain risks. Second, as the SEC notes, oftentimes the risk in these uncertain areas is not the risk itself but how management reacts to the risk. The SEC’s example of a public company exiting a business model is a good one. Perhaps investors are not all that worried about a risk to a cybersecurity attack but if management decides to exit a profitable business model due to that risk, then that could matter quite a bit to investors.

Thus, when investigating an issuer or borrower and when crafting cybersecurity disclosure, we believe it is important to focus on what management knows about its cybersecurity risks, vulnerabilities, and incidents and what management is planning to do about them.

Don’t over-focus on cybersecurity disclosure when preparing cybersecurity disclosure We need to be careful not to too-narrowly define what cybersecurity disclosure entails. As we note above about the SEC’s focus on management, sometimes the biggest risk to investors from cybersecurity risks is not the cybersecurity risk itself but the other implications that flow from cybersecurity risk. The SEC’s examples about how management will react to cybersecurity risks may be even more significant to investors than the risk that hackers may attack, ransom, or compromise the company’s operating systems. In the municipal securities market, we can experience the same problem. An issuer or borrower may decide to spend considerable capital to avoid cybersecurity risks, or eliminate technological features that can expose the issuer or borrower to other risks or higher costs, or the issuer or borrower may decide to take other actions that create risks for investors that are broader than just whether there are technological vulnerabilities in its operating systems. When considering what is appropriate disclosure, we need to be sure that we are not placing blinders on our eyes and overly focusing on a narrow set of facts when other facts may in fact be as or more important.

Concluding thoughts

In our experience, some municipal market participants are struggling with how to approach cybersecurity disclosure, and we think that with the increase of cybersecurity incidents and the SEC’s proposed rules, guidance is being developed to help us craft effective cybersecurity disclosure. As with many areas, cybersecurity disclosure can seem to involve disclosure more of what an issuer doesn’t know instead of what it does know. But with other areas, as we focus more on the information that matters to investors and the other areas that the SEC directs corporate issuers to focus on, cybersecurity disclosure will improve and keep track with cybersecurity disclosure in the corporate securities market.