The U.S. Securities Exchange Commission (SEC) on March 9, 2022 released for comment proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies (“registrants”) that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the Proposed Rule). According to the SEC, the proposed amendments are intended to better inform investors about a registrant’s risk management, strategy and governance related to cybersecurity and to provide timely notification to investors of material cybersecurity incidents.
The Proposed Rule by its terms applies to registrants and would therefore apply to corporate issuers and asset-backed issuers. The Proposed Rule, however, is not tailored to securitizations. In fact, it is surprising how little attention securitizations are given in the Proposed Rule. As such, it is difficult for participants in the securitization market to comment on the Proposed Rule. The risk, however, in not commenting on the Proposed Rule is that the SEC may issue a final version of the Proposed Rule that is substantially identical to the current version of the Proposed Rule.