The topics of Cybersecurity and Climate Change disclosure are generating increased investor and rating agency interest in municipal bond issuances. The Securities and Exchange Commission (SEC) has expressed concerns about the adequacy of such disclosure given the increased frequency of cybersecurity breaches and severe weather-related events and their impact on municipalities’ operations. SEC Release on Cybersecurity Disclosure; SEC Statement on Climate-Related Disclosure. Risks related to cybersecurity and climate change may be material to potential investors, and therefore, should be disclosed in bond offering documents.
Municipalities, like many other public and private entities, rely heavily on technology to conduct their operations, and as a result, are vulnerable to cyber threats. Yet, many municipal issuers fail to disclose these risks when they could have a material impact on operations due to, among other factors:
- a misunderstanding of the cyber issues by the individuals preparing the disclosures;
- the need to protect and keep private the mitigation measures; or
- uncertainty surrounding the potential impact of the cyber threats.
Lack of disclosure, however, will leave investors wondering whether there have been any threats or attacks and whether any mitigation strategy against such attacks exists at all. Investors want to assess the adequacy of the disclosure for the level of risk and the nature and quality of the management capabilities and mitigation strategies of the issuer. Topics relative to cybersecurity disclosure should include:
- recent cyber-attacks, that did, or could have, a material effect on operations; and
- mitigation strategies against cyber-attacks such as, insurance to protect against such attacks, upgrades to software and policies and committees put in place relating to the security of the network.
While the impacts of climate change have received media attention for many years, consideration of climate change in disclosure documents is a relatively new and evolving expectation. Earlier this year, the SEC created a Climate and Environmental Social Governance (ESG) Task Force to develop initiatives to identify climate and ESG disclosure related conduct. Given the SEC’s heightened focus and that the increase in severe weather may impact state and local tax collections and increase infrastructure costs, municipal issuers should evaluate their current practice related to disclosure of climate risk to ensure that such risks are being vetted and disclosed. Specifically, municipalities should disclose:
- recent weather-related events that had an impact on operations;
- geographic location and what weather events it may be vulnerable to in light of the location such as flooding, wind and/or fires and their potential impact; and
- best practices for monitoring the ever-changing impacts of climate change and any plan for disclosure of such risks for future issuances.
Municipal issuers should consult with the professionals that assist them with their offering documents, including their municipal advisors and disclosure counsel, if any, to ensure that such offering documents include adequate cybersecurity and climate change disclosure.