NFMA urges better cybersecurity disclosure from governments
Hackers are getting smarter and municipal analysts are urging governments to disclose and be transparent on mitigating cyberattacks.
This comes as many government employees are working from home due to the coronavirus pandemic. Now it is more likely that a cybercriminal could hack a government that is trying to support a number of employees working from home, according to the National Federation of Municipal Analysts.
It also could mean that COVID-19 could serve as a catalyst for more robust information technology protection, analysts said.
“The NFMA undertook the topic of cybersecurity because cyberattacks against state governments, local governments, 501c3 organizations, and conduit borrowers are becoming more commonplace,” Gilbert Southwell wrote in a white paper released by NFMA Wednesday on best practices for disclosing cybersecurity. Southwell is the author of the paper and senior municipal analyst and vice president at Wells Capital Management. “The costs to defend against cyberattacks and to remedy the damages caused by cyberattacks can be material, and present credit, fiscal and operational issues for issuers.”
From Baltimore to Vermont to Atlanta, cybercriminals have gone after large and small governments. In Baltimore last year — Maryland’s largest city — its computer servers were hit with the ransomware attack, forcing them to shut down its servers and pay $75,000 to the hackers.
The white paper was written in response to a growing number of news reports on municipal cyberattacks, Southwell said.
In 2018, the Securities and Exchange Commission published interpretive guidance to help public companies disclose cybersecurity risks and incidents.
“Clearly, government issuers are under cyberattacks at this point and might take notice of the guidance given in the SEC statement,” Southwell wrote.
However, Southwell said he doesn’t see the SEC issuing separate guidance for state and local governments given their limited regulatory authority over the municipal market.
“They don’t currently have the regulatory authority to go as far as NFMA may like in cyber risk disclosure standards, which is one of the reasons why we put the paper out,” Southwell said.
The municipal market’s approach to cybersecurity event and risk disclosure is ad hoc, said Nicole Byrd, NFMA chair, and the group hopes to bring more consistency to its disclosure practices.
“We don’t expect cyber risks to be going away,” Southwell said. “In fact it may be increasing. We have more sophisticated cybercriminals out there and they are unfortunately picking on local and some state governments.”
The paper listed four places issuers could disclose cyber risk mitigation strategies. Primary market offering statements are the best place for issuers to address cybersecurity risks, past events and mitigation strategies, it said. There they can be disclosed in a generic way or with references to a material cyber incident. That would be in line with the SEC's Rule 10b-5, which prohibits making untrue statements of material fact and material omissions.
In the secondary market, NFMA recommended disclosing cybersecurity risks through SEC Rule 15c2-12 event disclosures. That rule sets forth the types of disclosures an issuer must take in a continuing disclosure agreement provides to its bondholders. However, it does not specifically address cybersecurity disclosure.
Issuers could also put cybersecurity disclosure in covenants, indentures, loan agreements or lease agreements.
“Part of what we’re suggesting is that cybersecurity risk reporting be put into future indentures and loan agreements or lease agreements because we don’t necessarily see the SEC updating 15c2-12 in the near term,” Southwell said.
Continuing disclosure agreements could also be home for cybersecurity disclosure. Governments’ annual financial statements, specifically their annual management discussion and analysis as required by the Governmental Accounting Standards Board, could be a place to disclose. Those disclosures could also go into the note section of its fiscal year end financial statements, Southwell wrote.
“Such financial statement disclosure may also have the positive effect of discouraging cybercriminals from cyberattacks for those issuers touting their defenses to municipal cybersecurity incidents,” Southwell wrote.
Byrd said state governments are more likely to disclose, given they have larger IT departments than smaller issuers. NFMA also emphasized disclosure may be limited by investigations or create a road map for cyberattackers, but said a minimal level of disclosure must be attempted by issuers.
In March, Moody’s Investors Service analysts said cyberattacks are expected to rise as attackers capitalize on COVID-19 fears.
“A sudden spike in the number of employees working from home also places increased strain on computer systems and online access networks, which increases the risk that IT teams will be less able to guard against a cyber incident,” Moody’s analysts wrote.
Moody’s views cyber risks as an event risk and said disclosures are a useful tool to compare governance practices across issuers.
Disclosure for cybersecurity has been increasing, prior to the white paper, said David Erdman, Wisconsin’s capital finance director.
For the first time, the state discussed cybersecurity and how to address risks at the state level down to local governments in its continuing disclosure annual report, Erdman said.
That paragraph detailed who was leading the efforts for cybersecurity protections and steps taken through 2019.
“It’s good to disclose a lot about it, but the cybersecurity experts in our department were a little concerned about showing too much, because people who are mischievous could take your disclosure and use it against you,” Erdman said. “It’s all a balancing act on that front.”
Comments on the white paper are welcomed by Sept. 20, 2020.