Near-term amending of Rule 15c2-12 to add cyber incident disclosure unlikely

As cyberattack concerns mount, some attorney experts say it is unlikely that the muni market will soon have a cybersecurity incident disclosure obligation imposed on it similar to the one the Securities and Exchange Commission requires of public companies.

In July 2023, the SEC adopted new rules requiring public companies subject to Securities Exchange Act of 1934 reporting requirements to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information about their cybersecurity risk management, strategy and governance.

The rules require registrants to disclose on an Item 1.05 of Form 8-K any cybersecurity incident they experience that is deemed to be material and to describe the material aspects of its nature, scope and timing as well as material aspects of its impact or reasonably likely impact. An Item 1.05 Form 8-K generally must be filed within four business days of determining that an incident was material.

Beth Coolidge, head of public finance at Oppenheimer & Co., referenced the 2023 rules relating to public company disclosure of cybersecurity incidents in recent remarks.

"It's coming to our world," Coolidge said during a panel discussion held as part of a May 7 Bond Buyer virtual summit on Cybersecurity Risks, adding that "as municipal securities professionals, it is incumbent on us to get in front of it and come up with what we think is a good solution before one is kind of handed to us."

Coolidge also referenced comments made by another panelist, Nikolai Sklaroff, capital finance director at the San Francisco Public Utilities Commission. Sklaroff described the dilemma answering questions in a forum such as the panel discussion presents. While on one hand he wanted to help his issuer colleagues and reach out to financial partners about "how they can better help us," he also was mindful that "bad actors" might be listening as well.

"So I want to be thoughtful about what we say about our industry's vulnerabilities and what we're doing to address them," Sklaroff said during the panel discussion, entitled "Heightened Cyber Activity & Public Finance Preparedness."

Coolidge said Sklaroff's comments resonated with her.

"You don't want to give the bad guys the road map to how you are protecting yourself," she said.

While cyberattacks and bad actors looking to exploit cybersecurity vulnerabilities might be concerns for the municipal securities market, one thing the industry probably doesn't have to worry about in the near future ? at least according to two attorneys ? is an SEC-imposed requirement to disclose cybersecurity incidents involving municipal securities similar to what the commission requires of public companies.

"Any incident disclosure that would impact municipal issuers would require an amendment to Rule 15c2-12," said Ed Fierro, a partner at Bracewell LLP, who earlier in his career served as senior counsel to the director of the SEC's Office of Municipal Securities. "I worked on the Rule 15c2-12 amendments while at the SEC and making any changes to the rule is a very lengthy process."

Rule 15c2-12 of the Securities Exchange Act requires dealers acting as underwriters in primary offerings of municipal securities to reasonably determine that the issuer or obligated person has agreed to provide to the Municipal Securities Rulemaking Board timely notice of certain events.

"The last amendments to Rule 15c2-12 took about 4 years from pre-rule stage, proposed rule stage, and final rule stage," Fierro said. "While circumstances could change, I doubt that we will see any changes to Rule 15c2-12 in the near future."

However, should the SEC ever decide to amend Rule 15c2-12 "it would likely use Item 1.05 of Form 8-K 'Material Cybersecurity Incidents' as a starting point," he said.

"There is some good language in there that allows for delays in reporting cyber incidents when certain circumstances exist," Fierro said.

Bill Rhodes, a partner in the public finance practice at Barnes & Thornburg, said there is no evidence that the SEC is planning to amend Rule 15c2-12 ? in any way ? in the near future.

"Municipal market participants have suggested other reasonable amendments to Rule 15c2-12 and there seems to be no appetite by the SEC to undertake those amendments either," Rhodes said.

While public companies are bound by SEC reporting rules dictating line-item disclosures, the Tower Amendment limits the SEC's power to regulate municipal issuers, "including attempts to dictate form and content of disclosures by municipal issuers in connection with municipal securities offerings," he said.

"That said, the antifraud rules apply to all issuers, including municipal issuers and public companies," Rhodes added. "Therefore, municipal issuers and borrowers often refer to the form and content of public company disclosures to assess the regulators' views on what information they might consider to be material."

In addition, some conduit borrowers are also public companies, "so in those transactions, where SEC filings are typically incorporated by reference in the offering documents for municipal securities, the cybersecurity disclosures would effectively be the same for such conduit borrowers," he said.

Many municipal issuers have indicated some reluctance about disclosing too much information about cybersecurity events and preventative measures, including insurance, out of concern "that over-disclosure could be weaponized against the issuers and borrowers" ? as well as their insurers ? by hackers, Rhodes said.

While such reluctance is understandable "and, to an extent, prudent, there is still a wide array of available information concerning the nature of cybersecurity risks and mitigants that could be disclosed without creating undue risk," the attorney said.