SFA Responds to SEC Cybersecurity Disclosure Proposal
article by Structured Finance Association
Background:
On March 9, 2022, the Securities and Exchange Commission (SEC) proposed new disclosure rules to enhance and standardize disclosures made by public companies regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposal applies to registrants, including corporate issuers and asset-backed issuers, specifically.
The proposal would require:
- Current reporting about material cybersecurity incidents,
- Periodic reporting to provide updates about previously reported cybersecurity incidents,
- Periodic reporting about a registrant’s cybersecurity risk policies and procedures, board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk, and
- Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
Our View:
- We found the proposed rule to be focused almost exclusively on corporate registrants ignoring extensive fundamental and technical differences between the potential impact of cybersecurity risks and incidents on investors in corporate securities versus ABS.
- Therefore, we urged the SEC to propose tailored rules for asset-backed issuers that are appropriately aligned with the SEC disclosure and reporting framework for ABS and the relevant risks to ABS investors and to give the ABS market stakeholders an opportunity to provide public comment on those re-proposed rules.
- An example of an important area where the proposal does not appropriately address ABS risk is its focus on the asset-backed issuer whose very limited activities do not present cybersecurity risk to the ABS investors.
- Instead, we believe the primary area of potential cybersecurity risk to an ABS transaction relates to the breach of information systems used by a servicer (including the breach of personal information maintained on those information systems, which could disrupt servicing of the underlying pool assets).
- SFA highlighted that cybersecurity disclosure should be principles-based, focusing on material risks and risk management (rather than matters of cybersecurity strategy or governance) that would apply to Securities Act registration statements and prospectuses rather than ongoing reporting.
- For any proposed and adopted rules that the SEC may release for ABS transactions, we called for a transition period of at least six months.
- Lastly, legacy ABS should be excluded from additional cybersecurity reporting requirements.
- Instead, we believe the primary area of potential cybersecurity risk to an ABS transaction relates to the breach of information systems used by a servicer (including the breach of personal information maintained on those information systems, which could disrupt servicing of the underlying pool assets).