SFA Responds to SEC Cybersecurity Disclosure Proposal

Background:

On March 9, 2022, the Securities and Exchange Commission (SEC) proposed new disclosure rules to enhance and standardize disclosures made by public companies regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposal applies to registrants, including corporate issuers and asset-backed issuers, specifically.

The proposal would require:

Current reporting about material cybersecurity incidents,
Periodic reporting to provide updates about previously reported cybersecurity incidents,
Periodic reporting about a registrant’s cybersecurity risk policies and procedures, board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk, and
Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.

Our View:

We found the proposed rule to be focused almost exclusively on corporate registrants ignoring extensive fundamental and technical differences between the potential impact of cybersecurity risks and incidents on investors in corporate securities versus ABS.
Therefore, we urged the SEC to propose tailored rules for asset-backed issuers that are appropriately aligned with the SEC disclosure and reporting framework for ABS and the relevant risks to ABS investors and to give the ABS market stakeholders an opportunity to provide public comment on those re-proposed rules.
An example of an important area where the proposal does not appropriately address ABS risk is its focus on the asset-backed issuer whose very limited activities do not present cybersecurity risk to the ABS investors.
- Instead, we believe the primary area of potential cybersecurity risk to an ABS transaction relates to the breach of information systems used by a servicer (including the breach of personal information maintained on those information systems, which could disrupt servicing of the underlying pool assets).
  - SFA highlighted that cybersecurity disclosure should be principles-based, focusing on material risks and risk management (rather than matters of cybersecurity strategy or governance) that would apply to Securities Act registration statements and prospectuses rather than ongoing reporting.
- For any proposed and adopted rules that the SEC may release for ABS transactions, we called for a transition period of at least six months.
- Lastly, legacy ABS should be excluded from additional cybersecurity reporting requirements.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.