Spotlight on Public Finance: Fall 2019

Fall 2019 Newsletter

Events

9

Featured Articles Attorney Spotlight Attorneys in Action

1 7 8

Updates

10 10

Did You Know?

FEATURED ARTICLES Cybersecurity and Climate Change: Considerations for Municipal Issuers By Barron F. Wallace, Ed Fierro and Sarah Tahir Cybersecurity

Municipal entities have increasingly fallen victim to cyberattacks in their varied forms. Over the course of the last 10 months, 140 local governments, law enforcement units and hospitals across the US have been victims of ransomware attacks. In Texas, coordinated ransomware assaults have targeted 22 small towns. Ransomware onslaughts generally start with an email containing a link or an attachment that permits hackers to take over the entity’s network and data. Once locked from its own system, the governmental entity finds itself between a rock and a hard place, where it can either remain without access to its data, or succumb to the hackers and pay a ransom. Additionally, data breaches, where hackers or other unauthorized users may seize vast amounts of sensitive information, also present risks for municipal issuers. The City of Bakersfield, California, has, for example, experienced 2 successive data breach incidents in the last 11 months, whereby hackers targeted the online payment system used by the city to process online payments for building permits, utility bills and business license renewals. Another form of cyberattack includes business email compromise schemes. Such scams involve emails from purported executives or third-party consultants requesting funds to be remitted by unsuspecting employees. In sum, criminals are steadily becoming more creative and methodical in their attempts to launch cyberattacks against municipal issuers, and municipal issuers are at risk of being targeted in such schemes. To date, the Securities and Exchange Commission (SEC) has not published guidance for municipal issuers on cybersecurity disclosure or pursued any enforcement actions involving municipal issuers and cybersecurity. If the SEC updates its 1994 Interpretive Guidance Regarding Disclosure Obligations of Municipal Issuers, some predict that such guidance will include cybersecurity disclosure. For now, we can analyze what the SEC has said about public company cybersecurity disclosure. In 2011, SEC staff issued guidance stating that although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, public companies nonetheless may be obligated to disclose such risks and incidents. The SEC staff advised that public companies should consider the adequacy of cybersecurity disclosure in registration statements in the context of Rule 10b-5 of the

Spotlight on Public Finance | 1

Made with FlippingBook - professional solution for displaying marketing and sales documents online