SEC exemption is based on industry advocacy spearheaded and crafted by Orrick partner Mike Mitchell
4 minute read | July.27.2023
The SEC issued proposed rules on March 9, 2022 that, on their face, would have applied to corporate issuers and asset-backed issuers alike, though they would have included an exception for a narrow subset of the new disclosures relating to certain governance matters in cases where the asset-backed issuer did not have any executive officers or directors. In an effort spearheaded and led by Orrick partner Mike Mitchell, the Structured Finance Association (“SFA”) organized a task force to assess and comment on the proposed rules. SFA submitted their comment letter on the proposed rules on May 9, 2022.
A central theme of SFA’s comment letter was that the framework proposed by the SEC did not take into account key aspects of ABS transactions that differentiate them from corporate securities transactions, including that asset-backed issuers are typically limited purpose, passive special purpose vehicles with limited activities, no operations or businesses, and no information systems. SFA also generally opposed applying the proposed rules to other transaction parties (such as the sponsor, servicer, originator, or trustee) because such parties are neither issuers of, nor obligors on, an asset-backed security, and because it is unlikely that such a transaction party’s financial performance or position would be affected by a cybersecurity incident to such an extent as to materially impede its ability to perform its duties and responsibilities to the securitization transaction.
The SEC was persuaded by SFA’s advocacy and has exempted asset-backed issuers from the final rules. In particular, the SEC agreed that asset-backed issuers are typically special purpose vehicles whose activities are limited to receiving or purchasing, and transferring or selling, assets to an issuing entity and, accordingly, do not own or use information systems, whereas the final rules are premised on an issuer’s ownership or use of information systems. The SEC indicates that it may consider cybersecurity disclosure rules specific to asset-backed securities at a later date.
While asset-backed issuers are exempt from the final rules, the SEC and its staff have issued interpretive guidance concerning the application of existing disclosure and other requirements under the federal securities laws to cybersecurity risks and incidents. In 2011, the staff of the SEC’s Division of Corporation Finance issued interpretive guidance providing the Division’s views concerning operating companies’ disclosure obligations relating to cybersecurity risks and incidents. In 2018, the SEC issued additional interpretive guidance reinforcing and expanding upon the 2011 staff guidance to assist operating companies in determining when these disclosure obligations may arise under existing disclosure rules.
While the SEC’s interpretive guidance addressed these disclosure obligations for operating companies, asset-backed issuers have adapted that guidance to their transactions when assessing the materiality of cybersecurity risks and incidents while preparing disclosure required in registration statements and prospectuses under the Securities Act of 1933.
Asset-backed issuers should continue to assess these risks and incidents notwithstanding their exemption from these final rules.
 SFA did acknowledge that cybersecurity disclosure rules might make sense for servicers of asset-backed securities, but advocated that any new rules should be tailored to such entities, rather than applying rules developed for corporate issuers.