McGuireWoods public finance partners Anna Horevay and T.W. Bruno shared insights with The Bond Buyer in a March 13, 2025, story about the increasing importance of cybersecurity disclosures in the municipal bond market.
A 2024 cyberattack that resulted in the loss of millions of dollars during the closing of a municipal bond offering by White Lake Township, Michigan, heightened awareness of the issue, The Bond Buyer reported. Some market participants argue that the municipal bond market needs improved U.S. Securities and Exchange Commission guidance on cybersecurity disclosures, according to the story.
In 2023, the SEC adopted a final rule standardizing cybersecurity disclosure practice for public companies, which must report materially determined cybersecurity incidents within four days.
While there are no official SEC guidelines for disclosing risks or attacks in municipal bond transactions, “we tend to look at what’s happening in the corporate market for ideas about what we should be doing and what we shouldn’t be doing,” said Horevay.
The Michigan township hack is the most prominent and publicly disclosed example of a cyberattack on a municipal bond closing, according to The Bond Buyer. Other attempted hacks have occurred, but issuers and firms are reluctant to share their experiences publicly, the newspaper reported.
“I can see a situation where somebody would worry about disclosing [a cyberattack], but at the same time if you’ve got bonds out there, this is what your obligation is, evaluating whether it’s material or not,” Bruno said.
Horevay and Bruno were at the forefront of thought leadership on this topic as they outlined key takeaways for municipal bond issuers from the SEC’s cybersecurity disclosure rules in a Sept. 6, 2023, legal alert, which The Bond Buyer cited in its story.