Anna Horevay and T.W. Bruno Quoted on Cybersecurity Disclosures

The importance of cybersecurity disclosures in the municipal bond market is becoming increasingly evident. Public finance partners Anna Horevay and T.W. Bruno from McGuireWoods recently spoke with The Bond Buyer about this critical issue. The focus on cybersecurity disclosures was heightened after a 2024 cyberattack that led to the loss of millions of dollars in a municipal bond offering by White Lake Township, Michigan.

According to The Bond Buyer, market participants are calling for enhanced guidance from the U.S. Securities and Exchange Commission (SEC) on cybersecurity disclosures in the municipal bond market. While the SEC implemented a final rule in 2023 requiring public companies to report significant cybersecurity incidents within four days, there are currently no official guidelines for disclosing risks or attacks in municipal bond transactions.

Horevay pointed out the limitations in the municipal bond market by stating, “we tend to look at what’s happening in the corporate market for ideas about what we should be doing and what we shouldn’t be doing.” The cyberattack in Michigan is one of the few publicly disclosed incidents of its kind, with other attempted hacks remaining undisclosed due to issuers and firms being hesitant to share their experiences.

Bruno highlighted the ethical dilemma faced by issuers, stating, “I can see a situation where somebody would worry about disclosing [a cyberattack], but at the same time if you’ve got bonds out there, this is what your obligation is, evaluating whether it’s material or not.” Despite the potential concerns about reputational damage, issuers are obligated to assess the materiality of cybersecurity incidents.

In a legal alert dated September 6, 2023, Horevay and Bruno presented key insights for municipal bond issuers based on the SEC’s cybersecurity disclosure rules, which were cited by The Bond Buyer in their article. Their proactive approach to addressing cybersecurity concerns demonstrates their thought leadership on this topic.

In conclusion, the municipal bond market lacks comprehensive guidance on cybersecurity disclosures, leaving issuers and firms uncertain about how to proceed in the event of cyberattacks. The incident in White Lake Township serves as a stark reminder of the potential risks associated with inadequate cybersecurity measures in the municipal bond market. As cybersecurity threats continue to evolve, it is essential for market participants to prioritize transparency and preparedness in their cybersecurity practices.