• The Securities and Exchange Commission (“SEC”) adopted new rules on July 26, 2023, to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.
• In addition to requiring current disclosure about material cybersecurity incidents, the final rules require periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.
• The final rules take effect 30 days after their date of publication in the Federal Register.

Background

The SEC issued proposed rules on March 9, 2022 that, on their face, would have applied to corporate issuers and asset-backed issuers alike, though they would have included an exception for a narrow subset of the new disclosures relating to certain governance matters in cases where the asset-backed issuer did not have any executive officers or directors. In an effort spearheaded and led by Orrick partner Mike Mitchell, the Structured Finance Association (“SFA”) organized a task force to assess and comment on the proposed rules. SFA submitted their comment letter on the proposed rules on May 9, 2022.

A central theme of SFA’s comment letter was that the framework proposed by the SEC did not take into account key aspects of ABS transactions that differentiate them from corporate securities transactions, including that asset-backed issuers are typically limited purpose, passive special purpose vehicles with limited activities, no operations or businesses, and no information systems. SFA also generally opposed applying the proposed rules to other transaction parties (such as the sponsor, servicer, originator, or trustee) because such parties are neither issuers of, nor obligors on, an asset-backed security, and because it is unlikely that such a transaction party’s financial performance or position would be affected by a cybersecurity incident to such an extent as to materially impede its ability to perform its duties and responsibilities to the securitization transaction.^[1]

Exemption for Asset-Backed Issuers and Related Considerations

The SEC was persuaded by SFA’s advocacy and has exempted asset-backed issuers from the final rules. In particular, the SEC agreed that asset-backed issuers are typically special purpose vehicles whose activities are limited to receiving or purchasing, and transferring or selling, assets to an issuing entity and, accordingly, do not own or use information systems, whereas the final rules are premised on an issuer’s ownership or use of information systems. The SEC indicates that it may consider cybersecurity disclosure rules specific to asset-backed securities at a later date.

While asset-backed issuers are exempt from the final rules, the SEC and its staff have issued interpretive guidance concerning the application of existing disclosure and other requirements under the federal securities laws to cybersecurity risks and incidents. In 2011, the staff of the SEC’s Division of Corporation Finance issued interpretive guidance providing the Division’s views concerning operating companies’ disclosure obligations relating to cybersecurity risks and incidents. In 2018, the SEC issued additional interpretive guidance reinforcing and expanding upon the 2011 staff guidance to assist operating companies in determining when these disclosure obligations may arise under existing disclosure rules.

While the SEC’s interpretive guidance addressed these disclosure obligations for operating companies, asset-backed issuers have adapted that guidance to their transactions when assessing the materiality of cybersecurity risks and incidents while preparing disclosure required in registration statements and prospectuses under the Securities Act of 1933.

• Many asset-backed issuers include enhanced disclosure relating to cybersecurity risks and incidents, based on general principles of materiality as applied in the context of an ABS transaction.
• While these disclosures vary in their level of detail, they typically address, among other things, how cybersecurity risks and incidents may disrupt the servicing and performance of the pool assets.
• Depending on the materiality of a cybersecurity incident, this disclosure may address the cause, scope, and impact of the incident, as well as remedial steps the servicer has taken or is taking in response to the incident.

Asset-backed issuers should continue to assess these risks and incidents notwithstanding their exemption from these final rules.