Spotlight on Public Finance: Fall 2019

Exchange Act, among other regulations. After the issuance of this guidance, many public companies began including cybersecurity disclosure in registration statements, typically in the form of a risk factor. In 2018, due to the increasing significance of cybersecurity incidents, the SEC reaffirmed the staff’s 2011 guidance and expanded upon it by focusing on, among other things, the importance of maintaining comprehensive policies and procedures related to cybersecurity. Given the limited regulatory authority of the SEC over municipal issuers, the SEC cannot require municipal issuers to include cybersecurity disclosure in offering documents or adopt policies and procedures. That said, the SEC assesses the adequacy of disclosure based on determining materiality and, with the recent uptick, severity and costs of cyberattacks on municipal issuers, municipal issuers should consider whether it is advisable to include cybersecurity disclosure in offering documents. Furthermore, municipal issuers should consider whether it is worthwhile to adopt policies related to cybersecurity or to engage third parties to assess risk and offer solutions to mitigate such risk. To start the analysis, municipal issuers should consider asking questions, such as: • What is the risk of a cyberattack? • What impact would a cyberattack have on the municipal issuer’s operations, financial condition, reputation, susceptibility to litigation and security for the bonds? • Has the municipal issuer ever been attacked? • Does the municipal issuer have any cybersecurity policies and procedures? • Has the municipal issuer appointed an officer to oversee its cybersecurity measures, including in the event of a cyberattack? • Is the municipal issuer’s technology, such as its servers, secure? • Does the municipal issuer use any third-party services to store data? • Does the municipal issuer have adequate insurance policies to cover any losses? Importantly, any cybersecurity disclosure and policies and procedures that are publically available should be carefully drafted to ensure that the information does not provide a roadmap for a potential hacker to attack the municipal issuer’s systems. The SEC, for example, discourages detailed disclosure of a public company’s cybersecurity measures and does not expect companies to publicly disclose specific technical information about their cybersecurity systems. Striking a balance between disclosure and overexposure of information is thus critical when drafting any information that may be publically available. Climate Change The earth’s climate has evolved throughout history and continues to change. According to the National Aeronautics and Space Administration, evidence of rapid climate change includes global temperature rise, warming oceans, shrinking ice sheets, decreased snow cover, sea level rise, and extreme weather-related events. Regardless of the cause, there is no doubt that extreme weather events have impacted many public entities. Hurricane Harvey, for instance, devastated the coast of Texas, leaving behind approximately $125 billion worth of costs. Municipal issuers are forced to reckon with the ramifications of extreme weather-related events. Similar to cybersecurity disclosure, the SEC has not published guidance for municipal issuers on climate change or pursued any enforcement actions involving municipal issuers and climate change. In 2010, the SEC provided guidance for public companies on climate change disclosure. The guidance summarized a number of SEC rules and regulations that may be the source of a disclosure obligation under the federal securities laws, including disclosure in a public company’s registration statement. The guidance also provided examples of climate-change-related issues that a public company may need to consider, including the impact of legislation and regulation addressing climate change, indirect consequences of regulation or business trends, as well as the physical impact that such extreme weather events can have on a public company’s operations and financial condition. Again, given the limited regulatory authority of the SEC over municipal issuers, the SEC cannot require municipal issuers to include climate change disclosure in offering documents. Similar to cybersecurity disclosure, the adequacy of disclosure is assessed based on determining materiality, and with the occurrence of more frequent and extreme weather related events, municipal issuers should consider whether it is appropriate to include climate change or weather-related event disclosure in offering documents. To start the analysis, municipal issuers should consider asking questions, such as: • What is the risk of climate change or a weather-related event? • What impact does climate change and/or weather-related events have on the municipal issuer’s property, operations, financial condition and security for its obligations? • In the past, what has been the financial impact of weather-related events? • How frequent are weather-related events? • Has any material environmental litigation occurred involving the municipal issuer because of weather-related events?

Spotlight on Public Finance | 2