How much should muni issuers disclose when it comes to cybersecurity?
WASHINGTON — Issuer officials are concerned that a regulatory push for more comprehensive disclosure could put their computer systems at risk of being exploited by hackers.
Richard Li, a public debt specialist for the city of Milwaukee, spoke to The Bond Buyer about his concerns after attending the Securities and Exchange Commission's disclosure conference last week. At that event, “The Road Ahead: Municipal Securities Disclosure in an Evolving Market,” various stakeholders discussed materiality and cybersecurity disclosure.
Some investors have said they want issuers to disclose information about their cybersecurity measures, and regulators have signaled that they want issuers to have access to material information that could influence their investment decisions.
At one of the conference sessions Fidelity research analyst Amy Johonnett said she wants to know if issuers have cybersecurity insurance, which would indicate to investors that municipalities are looking into security.
But Li was concerned that disclosing a city's cybersecurity measures could open the doors to and be a road map for hackers. He stressed that the views were his own, rather than an official position of the city.
“What can you tell people about your cybersecurity readiness without actually telling them where your weaknesses are?” he said. “That could give potential hackers a road map on the best way to attack the issuer.”
Li said Milwaukee’s disclosure counsel just tells investors whose job it is to monitor cybersecurity and that they’re generally looking into it.
“You can tell people that’s there a risk, the city could be attacked, and it would be difficult for the city,” Li said. “But that’s no different than saying, you buy a stock and the price could go up or the price could go down. It’s not helpful.”
Li referenced Atlanta, which in late March was hacked by a crew called the SamSam Group. The attack froze city systems for five days.
If Milwaukee's systems were hacked, Li said he would disclose it and tell people what they’re doing to remediate it. Muni issuers have a lot of risk, he said, and cities’ important information is on the web.
Orrick, Herrington & Sutcliffe advises clients on cybersecurity, and Roger Davis, a partner at the firm, said cybersecurity has become an increasing theme among clients. In response to Li, Davis said it may be unnecessary to disclose details.
“I don’t know that it would be necessary to disclose such detail as it would create a road map for invitation to attack the entity, although to some extent there may be some modest validity to that concern,” Davis said.
He echoed Li in saying that munis have data that could attract cyber criminals. If a city is hacked, he said an investor would want to know about it and whether the city has policies and procedures in place as well as whether there is technology focused on protecting their data.
Cybersecurity information could be material to investors, Davis said. The Supreme Court has interpreted materiality to mean information that a reasonable investor would likely consider important when making an investment decision.
“For most entities it probably is (material) because it has substantial data that might foreseeably attract cybersecurity criminals,” he said.
Ernie Lanza, a senior counsel at Clark Hill, said issuers have to strike a balance between trying to be transparent, while still trying to be careful. Since there are no specific requirements, finding out what is material is a judgment call.
However, he said the muni market is used to not having extensive disclosure.
Li said he sympathized with the aim of transparency, but still wrestled with how to comply safely.
“If you have a cyber weakness, investors want to know about it, and I can appreciate that,” he said. “But how do you tell them in a way that doesn’t expose your weakness?”