On July 26, 2023, the Securities and Exchange Commission (SEC) issued final Regulations relating to cybersecurity disclosures. The Regulations apply only to SEC registered companies, so they do not apply to housing finance agencies (HFAs). However, because the Regulations are based on principles of materiality to investors, and materiality principles apply to the sale of bonds by HFAs, the Regulations provide guidance to the SEC’s view of cybersecurity disclosure rules appropriate to an HFA’s issuance of housing bonds.

The Regulations address disclosure of:  

1. Risk management and strategy – that is, “the processes, if any, for assessing, identifying and managing material risks from threats in sufficient detail for a reasonable investor to understand those processes.” Processes do not mean detailed policies and procedures (the SEC is concerned that detailed disclosure of policies/procedures could be a blueprint for hackers to follow), but rather mean disclosure to allow investors to ascertain an overview of an HFA’s cybersecurity practices. And whether the HFA’s cybersecurity risks are material to the HFA’s credit. Per the SEC, suggested disclosure items would include (A) whether or how the cybersecurity processes are integrated into the HFA’s overall risk management system or processes, (B) whether third parties such as consultants or auditors are engaged as part of the processes, and (C) whether the HFA has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider. Finally, an HFA should describe whether any cybersecurity threats or incidents have or may materially affect the HFA’s business strategy, results of operations or financial conditions, and if so, how.
2. Governance – describe the governing board’s oversight of cybersecurity risks, and how the board (or any board committee responsible for monitoring such risks) is informed about the risks. Also describe management’s roll in assisting and managing material risks from cyber threats such as (A) which management positions or committees are responsible for assessing and managing risks and their relevant expertise, (B) the processes by which such managers/committees are informed about and monitor prevention, detection, mitigation and remediation of cyber incidents and (C) whether such persons or committees report risk information to the board or board committee.

The Regulations, when initially proposed, contained greater specificity of the foregoing disclosure items. However, the final Regulations took a more general approach, focusing particularly on “materiality” as applied to the type of issuer and its business, in part because of the diversity of issuers and their businesses.

Our experience is that most HFAs already have some disclosure of cybersecurity risks and processes in their official statements. However, in light of the disclosure principles in these Regulations, HFAs should consider reviewing their present cybersecurity disclosure.

If you have any questions, please contact one of the attorneys listed below in Kutak Rock’s Housing Finance Agency Practice Group.

SEC Issues Final Regulations on Cybersecurity Disclosure