• ABS issuers have been exempted from the U.S. Securities and Exchange Commission's (“SEC”) final rule requiring certain cybersecurity risk and incident disclosure (the “Final Rule”).¹

• The SEC left open the possibility of disclosure and reporting requirements for cybersecurity risks tailored to ABS issuers noting that the SEC may “consider cybersecurity disclosure rules specific to asset-backed securities at a later date.”

Background

In March 2022, the SEC issued a proposed rule (the “Proposed Rule”) to expand and standardize disclosure and reporting requirements for public companies regarding cybersecurity risks, incidents and management.² The SEC issued the Proposed Rule in response to a perceived rise in cybersecurity risks, the severity in cost and impact to companies experiencing cybersecurity attacks and the lack of standardization regarding disclosure. Currently, registrants disclose cybersecurity risks and incidents across Form 8-K, Form 10-K and Form 20-F, although the breadth and depth of disclosure has been varied making it difficult for investors to track. The Proposed Rule amended certain disclosure forms to require reporting on material cybersecurity incidents and a registrant’s policies and procedures for risk management. If the amended disclosure and reporting framework in the form set forth in the Proposed Rule were to apply to ABS issuers, it would represent a significant departure and expansion from the existing disclosure and reporting standards required under Regulation AB.

Market Participant and SFA Response to the Proposed Rule

The prevailing view among ABS market participants was that the Proposed Rule was not adequately tailored for ABS issuers, would not yield useful information for investors and would be a significant cost and compliance burden to ABS issuers. The Structured Finance Association (“SFA”) put forth these arguments in a May 9, 2022 comment letter (“Comment Letter”).³

The Comment Letter highlighted that the Proposed Rule was focused almost exclusively on corporate issuers that have operations and businesses, rather than on ABS issuers that have no such operations or businesses and noted that, without revision or clarification, ABS issuers would face the onerous task of building out policies and procedures to comply with a framework that was tailored to corporate issuers.

The Comment Letter further emphasized that ABS issuers are typically special purpose vehicles with limited activities and no operations or businesses and therefore do not own or use information systems. The Comment Letter urged the SEC to propose tailored rules for ABS issuers that are focused on servicers, whose cybersecurity information system vulnerabilities are more likely to be relevant to ABS issuers. The Comment Letter also argued that legacy ABS be excluded from any future cybersecurity disclosure and reporting requirements and that there be a transition period of at least six months after the effective date for any final rules applicable to ABS transactions.

SEC Final Rule

The SEC issued the Final Rule on July 26, 2023, which included an exemption for ABS issuers from the new cybersecurity disclosure and reporting requirements. The Final Rule will be effective on September 5, 2023.

The SEC noted that, “[w]e are exempting asset-backed securities issuers from the final rules. We agree with the commenter that the final rules would not result in meaningful disclosure by asset-backed issuers.” The SEC explained that it was persuaded by the commenter argument that “asset-backed issuers are typically special purpose vehicles whose activities are limited to receiving or purchasing, and transferring or selling, assets to an issuing entity and, accordingly, do not own or use information systems, whereas the final rules are premised on an issuer’s ownership or use of information systems.”

Outlook

The SEC’s decision to exempt ABS issuers from the Final Rule will come as a welcome relief for ABS market participants. However, to the extent that a servicer or other party to an ABS transaction is a public company, it will still be required to comply with the Final Rule with respect to information systems it owns or uses. The SEC also left open the possibility of disclosure and reporting requirements for cybersecurity risks tailored to ABS issuers noting that the SEC may “consider cybersecurity disclosure rules specific to asset-backed securities at a later date.”

*The authors would like to thank Regina Noonan for her contributions to this OnPoint.

1. SEC Final Rule, July 26, 2023.

2. SEC Proposed Rule, March 2022.

3. SFA Comment Letter, May 9, 2022.