Spotlight on Public Finance, Spring 2018

Spring 2018 Newsletter

Featured Article Practice Focus Attorney Spotlight

1 4

Attorneys in Action

7 8 9

Updates

5 Tax Reform Fallout and Infrastructure Plan Discussion 6

Did You Know?

Featured Article Only You Can Prevent Cyber-attacks: How to Spot the Fires and Put Them Out*

A colleague recently received a personal e-mail from a foreign prince offering massive “compeiennsation” for assistance liberating funds held by the United Nations—the prince just needed a $10,000 advance, via Western Union, to get some initial paperwork sorted out. Perhaps you received the same email. Unfortunately, most attempts at internet-based crime aren’t quite as easy to spot and without sufficient response plans in place, they can be even harder to resolve. For example, if a hacker accesses a municipal server, he or she can limit or manipulate public functions that operate through government networks. Just days ago, the Atlanta municipal government was held hostage for nearly a week following a digital extortion attempt. It is unclear how the City’s network was breached, but in the cyberattack, hackers attempted to lock government data files limit access to many routine online government functions and, through encryption, refused to make them accessible until a ransom was paid. After five days offline, many (but not all) public services had been restored. The City has not yet divulged how the matter was resolved. A separate common attack is for a fraudster to pose as a contractor on a public infrastructure project, who might email a project manager with a fake invoice requesting that payments be wired to a new account. Within minutes, bond proceeds paid to the “contractor” may end in the same hands as the funds wired to help the poor foreign prince mentioned above. Public entities are especially susceptible to email scams because open records and open meetings laws and transparent operations make it easy for criminals to conduct reconnaissance on employees and transactions. This allows the criminals to craft personalized and convincing fake messages that do not contain obvious indicators of a fraud.

*An earlier version of this article was previously published in The Bond Buyer. It has been updated to reflect more recent developments.

Spotlight on Public Finance | 1

Although they receive the most media attention, nation states, political parties, and large retailers are not the only entities being targeted by hackers. As those entities build stronger defenses, hackers have increasingly pursued lower profile and less protected yet still lucrative targets like state and local governments and other public entities. Indeed, some hospitals, school districts, and local governments have already been victims of cyber-attacks.¹ For example, in a recent Department of the Treasury announcement, it identified that “[s]ince at least March 2016, Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”² Despite this risk, public entities can be unaware and unprepared to identify and protect themselves from a variety of cyber-related threats, but there are a number of preliminary steps they can take to reduce risk and to be prepared. Selected threats • Business email compromise schemes. One of the most pervasive threats usually does not involve hacking in the traditional sense. Rather, criminals can devise simple tools to send emails that appear to come from an internal senior executive or accounting employee that direct another employee to initiate a bank transfer to an account controlled by the criminal. Well-meaning employees trying to satisfy an urgent request frequently fall victim to this scam, which is low-cost and low-risk for the criminal. Further, the risk is particularly acute where criminals have access to information that allows them to tailor convincing spoofed emails (e.g., internal emails released under open records laws). The FBI has identified business email compromise schemes as a top tread in cybercrime and has published a useful, plain language overview of the issue. • Ransomware. Criminals and nation state actors are also using malicious code that locks users out of their systems or data in an attempt to extract ransom payments (like the recent cyber-attack that victimized Atlanta). User systems can be infected by visiting a compromised website or by opening a malicious email attachment. Once introduced to a network, this code—termed “malware”—can quickly spread to other devices. For example, in 2016, an employee of a Florida police department opened a malicious email attachment that spread, encrypted 160,000 city files, and triggered a demand for up to $33 million in bitcoin to unlock them.³ Some victims quietly pay the ransom rather than risk serious disruption to their business or reputational harm, but the FBI advises against doing so. Ransom payments also are rarely an option for a public entity. • Data breaches. One of the most familiar cybersecurity incidents—the theft of large amounts of sensitive personal or financial data—is a real risk for public entities. For example, the FBI recently had the contact information of 20,000 of its employees leaked online.⁴ The amount of data stolen does not have to be large to have a significant impact—criminals have stolen login credentials to financial wire systems and have been able to initiate unauthorized transfers of tens of millions of dollars. The personal and financial data held by public entities—both large aggregations of data and more discrete pieces of critical financial information—will be attractive to criminals, especially when left vulnerable on older devices or systems. • Physical effects. Any organization that is related to or supports critical infrastructure can also be subjected to threats beyond financial crimes. Actors who seek disruption of services or destruction of infrastructure may target these entities to gain a foothold in a network that controls systems in the physical world. For example, the federal government recently indicted Iranian hackers for illegally accessing the control system of a dam in Rye, New York. No physical damage occurred from that incident, but the potential for damage from similar intrusions is clear. • Credit risk. An S&P Global Ratings analyst has said that a cybersecurity incident could affect a public entity’s credit rating. This not only due to the cost of an incident, but also the accompanying loss in taxpayer trust could hinder a public entity’s ’s ability to raise taxes.⁵ We are not aware of any such downgrade that has happened yet, but it is a risk that public entities should be aware of.

Spotlight on Public Finance | 2

• Litigation and regulatory risk. The Securities and Exchange Commission recently expanded its warnings to companies that generic disclosures identifying cybersecurity risk factors may be insufficient. Public entities that are not subject to the same U.S. Securities and Exchange Commission (SEC) rules that apply to public companies should be mindful of their cybersecurity risk disclosures. • Intellectual property theft. In March 2018, the Department of Justice charged nine people associated with the Mabna Institute, an Iran-based company. The charging documents allege that since at least 2013, the defendants participated in a coordinated campaign of cyber-attacks into computer systems belonging to 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund. Among other things, the defendants are alleged to have stolen more than 31 terabytes of academic data and intellectual property, and the email account information of employees at companies, government agencies, and non-governmental organizations. Defending against these risks is not simple or easy, but there are some operational tips that can be the foundation of a robust and specifically tailored cyber risk management program. • Employee training. “Human error is a major factor in breaches, and trusted but unwitting insiders are to blame.”⁶ Familiarizing employees with the threat their organization faces, and how to respond if an incident does occur, is probably the most important thing an organization can do. Catastrophic incidents can be, and sometimes are, avoided by employees who were trained to recognize a potential threat and know how to respond. • Anti-Spoofing. The FBI has said the best way to avoid being exploited by a business email compromise scheme “is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.” That’s good advice, but not always practical in every organization. Fortunately there are many technical options, including some built into standard Microsoft office products, that provide Bracewell LLP 4 conspicuous warnings to email users when a message may not be coming from who it claims to be from. Enabling such warnings is a low-cost and often effective way to alert employees to spoofed emails. • Quick action. Victims of fraudulent wire transfers generally have 48 hours to notify law enforcement to have a chance to get their money back, or at least freeze the money in place. As with many aspects of cybersecurity, quickly identifying an incident and having a plan—or at the very least knowing who to call—can go a long way to mitigate negative impact. • Basic device hygiene. Broadly, simple steps like enabling firewalls, using antivirus software, and keeping operating systems up-to-date reduce your risk.⁷ These steps alone will not stop a determined actor, but can cause someone looking for a target of opportunity to move on to a different victim and limit the spread of indiscriminate malware. • Reflect and disclose. Recent SEC guidance to publically traded companies seems to indicate that the SEC expects companies to conduct careful inward assessments that identify unique strengths and weaknesses, and that disclosures should be tailored to that assessment. Even for public entities not bound by that guidance, internal assessments and tailored cybersecurity risk disclosures may be prudent. • Insurance. Cybersecurity insurance helps organizations manage their risk, but careful note should be taken of policy exclusions. The creativity of cyber criminals makes it very difficult for an insurance policy to fully and explicitly define the bounds of policy coverage, but increasingly insurers are requiring exclusions for some known risks. One example is losses arising from a stolen or misplaced portable electronic device—a potentially high-impact incident but one that can generally be mitigated by developing and enforcing portable device encryption policies. Mitigating the risks

Spotlight on Public Finance | 3

Takeaways Cybersecurity is a complex issue that necessarily requires careful and specific inward assessment. Further, cybersecurity is not merely an IT issue, it’s an enterprise-wide risk management issue. Senior leadership involvement and education is critical because engaged and informed leadership is one of the best defenses to skeptical government investigations and to civil lawsuits. Public entities should also consider maintaining a cyber-incident “playbook” that contains, among other things, a notification checklist of security, law enforcement, insurance, and legal contacts who should quickly be informed of a potential incident. At Bracewell, we work with our public entity clients to develop and implement information security plans to reduce risks and to help insulate decision makers from the regulatory scrutiny that inevitably follows a cybersecurity incident. Bracewell lawyers routinely develop cybersecurity policies and procedures; conduct staff training; and respond to cybersecurity incidents by managing all aspects of the response, including the deployment of effective media and governmental communications to mitigate and minimize repercussions—both financial and reputational. Perhaps you have been the recipient of a spoofed email and aren’t quite sure why these types of emails keep showing up? Or maybe you need to arm your staff with information on what to look for and how to respond to cybersecurity incidents? Our team is comprised of a diverse array of lawyers across a range of disciplines, including public entities. Should you have any questions related to cybersecurity, feel free to contact Bracewell lawyers Phil Bezanson or David Springer.

1 https://www.fbi.gov/investigate/cyber 2 https://home.treasury.gov/news/press-releases/sm0312 3 http://www.govtech.com/security/GT-OctoberNovember-2017-Small-Towns-Confront-Big-Cyber-Risks.html 4 https://www.cnn.com/2016/02/08/politics/hackers-fbi-employee-info/index.html 5 http://www.governing.com/topics/finance/gov-can-cyberattack-cause-credit-rating-downgrade.html 6 https://hbr.org/2016/09/the-biggest-cybersecurity-threats-are-inside-your-company 7 https://www.fbi.gov/investigate/cyber

PRACTICE FOCUS Disclosure Counsel

Use of the right disclosure counsel has never been more important. The U.S. Securities and Exchange Commission (SEC) continues its aggressive enforcement presence in the municipal securities market, and has followed through on earlier clear warnings that it will bring fraud-based enforcement actions against issuer officials together with the issuer when it considers disclosure to be materially misleading. Most recently on March 1, 2018, the SEC charged the town attorney and deputy supervisor of Oyster Bay, New York with defrauding investors. The focus on disclosure and the related emphasis on compliance with continuing disclosure undertakings, all signal a changed environment calling for strong internal disclosure policies and procedures combined with expert outside disclosure counsel with expertise in SEC disclosure requirements and policy and experienced in application through disclosure preparation. Our lawyers include former SEC officials, such as Paul Maco and Ed Fierro, who have first-hand experience developing municipal securities disclosure policy and regulation, including the continuing disclosure requirements of Rule 15c2-12. Their experience in formulating disclosure policy and regulation and application of SEC disclosure policy through SEC enforcement, and in the private sector, defending issuers, issuer officials, underwriters and others in SEC enforcement investigations and proceedings provides a combination of experience that simply sets us apart from other disclosure counsel. As part of our disclosure counsel services, we frequently provide advice on state and federal securities laws and disclosure requirements and regularly advise and consult with clients and assist in preparing disclosure documents, including official statements, annual financial information, and event notices under Rule 15c2-12. Additionally, as disclosure counsel we assist in preparing disclosure controls and procedures, assist in periodic evaluations and revisions, and conduct periodic trainings for officials and staff involved in the disclosure process. We also frequently consult with clients regarding voluntary disclosure of various events not requiring disclosure under applicable continuing disclosure agreements, as well as potentially requiring

Spotlight on Public Finance | 4

disclosure pursuant to the duty to correct or duty to update articulated under antifraud case law. From time to time, we will advise clients on complex continuing disclosure agreement compliance issues that may arise in certain circumstances. In addition to our disclosure counsel services, our lawyers have expertise and significant experience in defending clients in municipal securities and public pension investigations and prosecutions in state and federal courts, SEC administrative proceedings, Financial Industry Regulatory Authority, Inc. (FINRA) disciplinary hearings, and FINRA arbitration proceedings. For example, we defended the State of Rhode Island in the SEC’s formal investigation of its pension disclosures, securing a public letter from the Division of Enforcement announcing the closing of its investigation without recommending enforcement action. We successfully defended a mid-sized city in the Southwestern U.S. in a formal SEC enforcement investigation of its disclosure, securing a letter from the SEC Division of Enforcement confirming it would not recommend charges against the City or its officials. We also represented seven issuers who chose to self-report under the SEC’s MCDC program. Each of the seven issuers were notified by the Division of Enforcement that it does not intend to recommend an enforcement action by the Commission against the issuer. For more information, please contact Paul Maco and Ed Fierro .

ATTORNEY SPOTLIGHT

Edward Fierro | Senior Counsel, Houston Ed Fierro serves as bond counsel, disclosure counsel, underwriter’s counsel and purchaser’s counsel in a spectrum of public finance transactions. He also counsels municipal issuers, obligated persons and regulated entities on legal, regulatory and policy issues. Ed provides clients with a comprehensive understanding of the application of federal securities laws when analyzing regulatory, compliance and enforcement issues. Previously, Ed served as senior counsel to the director of the Securities and Exchange Commission’s (SEC) Office of Municipal Securities. In this role, he was responsible for coordinating the SEC’s municipal securities activities and administering the rules pertaining to the municipal securities market. While

at the SEC, Ed was instrumental in executing the SEC’s short-term fixed income market structure initiatives, implementing the municipal advisor regulatory regime, reviewing examination findings and enforcement actions, and proposing amendments to Rule 15c2-12. His experience in the municipal securities industry also includes working in the legal and compliance departments of two investment banks. In those roles, Ed advised on legal, compliance and regulatory issues related to sales, trading and underwriting of municipal securities, including ensuring compliance with applicable rules promulgated by the SEC, the Municipal Securities Rulemaking Board (MSRB) and Financial Industry Regulatory Authority (FINRA). Ed also previously served a combined six years in the United States Army and California National Guard. What are your specialties within public finance? An increasing portion of my practice focuses on disclosure and regulatory matters. With respect to disclosure matters, I assist in drafting disclosure and advising clients on their disclosure obligations and compliance responsibilities. With respect to regulatory matters, I assist in providing advice on legal and compliance matters related to municipal securities transactions and municipal advisory activity. What do you see as disclosure trends for issuers and conduit borrowers? Our industry continues to experience increased sanctions and penalties from regulators. In this environment, issuers and conduit borrowers should at a minimum establish policies and procedures and train their officials and staff involved in the disclosure process. Issuers and conduit borrowers should also consider hiring disclosure counsel or outside consultants to assist them with complying with their disclosure obligations. The SEC has made clear that these types of measures help prevent violations of federal securities laws. Bracewell LLP 2 What should regulated entities be aware of in this environment? Regulated entities need to be strategic, especially when communicating with and responding to regulators. Based on my

Spotlight on Public Finance | 5

experience working at the SEC, there are times when examiners and enforcement staff incorrectly apply the federal securities laws. It is important that regulated entities know when and how to push back against regulators. This is the same for issuers and conduit borrowers that find themselves in the middle of an investigation or enforcement action. What do you like to do outside of work? My wife and I enjoy traveling. This past winter we went to Finland before visiting my wife’s family in Russia. We spent a couple nights in Helsinki then took an overnight train to Rovaniemi. Rovaniemi is an interesting city that was destroyed by the German army in World War II and is now known for being the “official” home of Santa Claus. The city was great to explore but the best part of the trip was getting a chance to see the Northern Lights. We took snowmobiles to the Arctic Circle, set up a campfire, and were lucky enough to see the Northern Lights appear. It was a fantastic experience. This year we plan on exploring Peru and hiking up Machu Picchu. What is your favorite thing about Houston? The people are fantastic. I have lived in other communities all over the United States and I have never felt such a unique spirit. Houstonians have positive attitudes and their spirit is uplifting. We are happy to be part of such a wonderful community. What would people be most surprised to learn about you? While I was in the U.S. Army, I spent my free time restoring a classic car. I found the car at a farm outside of Fort Sill, Oklahoma. It was in terrible shape. It took about three years to complete. When I returned to California after my military service, I won numerous trophies at car shows and was even featured in a magazine specializing in classic cars. TAX REFORM FALLOUT AND INFRASTRUCTURE PLAN DISCUSSION Although the public finance industry dodged a bullet when Congress retained tax-exempt private activity bonds in the Tax Cuts and Jobs Act, the industry did not emerge unscathed. The biggest blow came with the repeal of tax-exempt advance refundings, but the industry also has experienced collateral damage due to the legislation, such as changes to the corporate tax rate and the alternative minimum tax. In the midst of the industry adjusting to the changes imposed by tax reform, the White House released its framework for rebuilding American infrastructure, which relies heavily on state and local financing tools to accomplish its goals. Join us in our Bracewell Texas offices as Partners Victoria Ozimek and Brian Teaff explore how the industry is responding to the new tax reform paradigm (including advance refunding alternatives and effects on direct placements) and reactions to the Administration’s Infrastructure Plan. The presentation schedule is as follows:

Bracewell Austin Office Wednesday, April 11, 2018 11:30 a.m. – 1:00 p.m.

Bracewell San Antonio Office Thursday, April 12, 2018 11:30 a.m. – 1:00 p.m. Bracewell Houston Office Tuesday, April 17, 2018 11:30 a.m. – 1:00 p.m.

Bracewell Dallas Office Wednesday, April 18, 2018 11:30 a.m. – 1:00 p.m. If you would like to attend the presentation, please contact kelly.wallaert@bracewell.com

Spotlight on Public Finance | 6

ATTORNEYS IN ACTION Upcoming Events UT Law’s 30th Annual Health Law Partner Brian Teaff will be presenting at UT Law’s 30th Annual Health Law Conference on a panel titled “Healthcare Transactions: How to Get to Closing” on April 5, 2018, in Houston. Texas Women in Public Finance San Antonio Region – Second Quarter Brunch Victoria Ozimek will be presenting on the topic of tax reform at the Texas Women in Public Finance San Antonio Region Breakfast on April 13, 2018. SIFMA Municipal Compliance Roundtable Paul Maco, Ed Fierro and Britt Steckman will be attending the SIFMA Municipal Compliance Roundtable in New York City, New York on April 26, 2018. Fundamentals of Municipal Bond Law Seminar Victoria Ozimek will serve as faculty for the National Association of Bond Lawyers (NABL) 2018 Fundamentals of Municipal Bond Law Seminar on April 25-27, 2018 in Charlotte, North Carolina. Government Finance Officers Association (GFOA) On May 8, 2018, Ed Fierro will participate in a panel titled “Disclosure Update” at the GFOA Annual Conference in St. Louis, Missouri. Post Issuance Compliance Seminar Partner Brian Teaff will present on the topic of the impact of tax reform on issuers at the FirstSouthwest Asset Management 2018 Post Issuance Compliance Seminar in Dallas, Texas on May 17, 2018. Past Events State Bar of Texas Tax Section and ABA Tax Section Partner Brian Teaff participated on a panel discussing various careers in the tax field at the Tax Roundtable Lunch sponsored by the State Bar of Texas Tax Section and ABA Tax Section and South Texas College of Law on April 3, 2018 in Houston. Texas Association of School Business Officials (TASBO) Partner Jonathan Frels delivered a presentation at the TASBO “Bonds, Buildings & Beyond” program in Fort Worth, Texas on March 27-28, 2018. SIFMA C&L Annual Seminar Paul Maco, Ed Fierro and Britt Steckman attended the SIFMA C&L Annual Seminar in Orlando, Florida on March 18-21, 2018. Tax and Securities Law Institute (TSLI) On February 21 – 23, 2018, Bracewell attorneys spent a day and a half at the 16th Annual Tax and Security Law Institute in Phoenix, Arizona discussing the latest news and information affecting the public finance industry. 2018 TASBO Annual Conference Jonathan Frels and Rob Collins presented a session titled “Bond Elections 101” at the 2018 TASBO Annual Conference on February 26 – March 2, 2018 in Fort Worth, Texas.

Spotlight on Public Finance | 7

Stifel 2018 Public Finance Department Meeting Paul Maco presented a program titled “Due Diligence & Municipal Advisor Training” at the Stifel 2018 Public Finance Department Meeting, February 9-10, 2018 in San Antonio, Texas. The Bond Buyer’s Texas Public Finance Conference During The Bond Buyer’s Texas Public Finance Conference on February 12-14, 2018 in Austin, Texas, Bill Avila served as the moderator on the “Housing Innovation” panel; Charlie Almond presented on the “Tax Reform: State and Local Implications” panel; and Ed Fierro participated on the “Regulatory Panel: Recent Lessons Learned”. Texas Women in Public Finance 2018 Annual Statewide Conference Victoria Ozimek served as a moderator for the “Hot Topics in Public Finance” panel at the Texas Women in Public Finance 2018 Annual Statewide Conference on January 25-26, 2018 in Austin, TX. Association of Water Board Directors Mid-Winter Conference On January 26-27, 2018, Bracewell partner Clark Lord attended the 2018 Association of Water Board Directors Mid-Winter Conference in Dallas, Texas. UPDATES Since our last newsletter, our public finance team has distributed a number of federal securities and tax law updates as well as announcements and attorney commentaries. If you missed them the first time or would like to refresh your memory, we have compiled the most recent of our team’s updates here. SEC Charges Additional Municipal Official With Securities Fraud In Connection With Oyster Bay Loan Guarantee Scheme March 6, 2018 Paul Maco, Philip J. Bezanson, Britt Cass Steckman, and Caitlin Tweed Mixed Messages on PABs: Fit for the Chopping Block or Cornerstone of Infrastructure Finance? February 20, 2018 Victoria Ozimek and Brian Teaff MSRB Comment Request on Draft FAQs Regarding Rule G-42 and Making Recommendations February 15, 2018 Paul Maco, Edward Fierro and Britt Cass Steckman SEC’s Office of Compliance Inspections and Examinations 2018 Examination Priorities February 12, 2018 Paul Maco, Edward Fierro and Britt Cass Steckman Municipal Advisor Firm and Principal Charged with Fraudulent Practices and Breach of Fiduciary Duty as SEC Continues Enforcement Focus January 5, 2018 Paul Maco, Edward Fierro and Britt Cass Steckman The Tax Reform Roller Coaster Ends – Summary of Provisions Affecting Public Finance January 3, 2018 Victoria Ozimek and Brian Teaff

Spotlight on Public Finance | 8

Former Mayor Charged by SEC and DOJ with Securities Fraud and Pay-to-Play Scheme December 1, 2017 Paul Maco, Britt Cass Steckman, and Sarah L. Rafie Disclosure Considerations and Tax Reform November 30, 2017 Paul Maco and Edward Fierro

DID YOU KNOW?

• The disclosure counsel client is the issuer and the attorney-client privilege is with the issuer, not the underwriter or investors. • Globally, cybercrime was the 2nd most reported crime in 2016. • You can visit the SEC’s website ( www.sec.gov/spotlight/cybersecurity ) and test your knowledge on identity theft, data breaches and protecting your online accounts from fraud.

Bracewell LLP makes this information available for educational purposes. This information does not offer specific legal advice or create an attorney-client relationship with the firm. Do not use this information as a substitute for specific legal advice. Attorney advertising.

Bracewell is a leading law and government relations firm primarily serving the energy, finance and technology industries throughout the world.

Our industry focus results in comprehensive state-of-the-art knowledge of the commercial, legal and governmental challenges faced by our clients and enables us to provide innovative solutions to facilitate transactions and resolve disputes

Spotlight on Public Finance | 9

Made with FlippingBook Online newsletter