Bloomberg News

A Securities and Exchange Commission probe into possible federal securities law violations in connection with a cyberattack on a Michigan township’s bond sale could be eyeing whether investors “are getting a full and accurate picture of the issuer’s credit risk,” a former SEC enforcement attorney said. 

“Municipal issuers are subject to antifraud rules, so the SEC might be looking at whether the municipality has provided truthful information about the impact of the hack,” said Andrew Feller, now senior special counsel at law firm Kohn, Kohn & Colapinto. 

Charter Township of White Lake, Michigan, sold $29 million of limited tax general obligation bonds, Series 2024B via competitive sale on Oct. 31, 2024, awarding the bonds to Robert W. Baird & Co., according to a Jan. 22 preliminary official statement. 

However, on the Nov. 21, 2024 scheduled closing date, the township learned it had been the victim of a “sophisticated cybersecurity attack,” the Jan. 22 POS said. As a result of fraudulent wiring instructions, Baird wired the purchase price of the Series 2024B bonds to an account cybercriminals had set up at a commercial bank.  

After discovering the diversion, the township notified the bank as well as police authorities and began efforts to recover the stolen funds, the POS said. The sale of the Series 2024B bonds was also cancelled.  

A March 11 supplement to the Jan. 22 POS said the cyberattack remains under investigation by federal law enforcement authorities. In addition, the SEC is  conducting an investigation relating to the event and the sale of the Series 2024B bonds to determine whether violations of federal securities laws have occurred, the supplement said.

Among the topics the SEC staff could be eyeing is whether the issuer has described the incident accurately and whether it is fully disclosing its ongoing vulnerabilities and remediation costs, Feller said. 

The SEC might also be looking into whether the township is disclosing the impact on its finances of possible increased financing costs stemming from cyber incident as well as whether the issuer has appropriately characterized and reserved for potential ongoing liability relating to the attack, the attorney said, noting press reports regarding a claim against the township from Baird. 

Under the federal securities laws, investors are entitled to be informed of “material” information related to securities, with materiality being defined by the Supreme Court as information that a reasonable investor would consider important in making a decision.

While the SEC does not have direct regulatory authority over municipal issuers, the antifraud provisions of the laws apply to all participants in the capital markets.

On Jan. 23, attorneys for Baird issued a demand letter to the township, asserting claims for damages stemming from the cyberattack, a Feb. 18 supplement to the Jan. 22 POS showed. Baird asserted that it had “suffered significant losses” from the event, which it believes total at least $6 million to $7 million, the supplement said. 

It’s also possible that SEC staff might be looking into the role of firms involved in the failed offering such as an underwriter or municipal adviser to see if they had cybersecurity weaknesses that led to the attack, Feller said.