The SEC’s Proposed New Cybersecurity Disclosure Requirements: ABS Supplement for Asset-Backed Issuers

March.15.2022

Last week, the SEC proposed new disclosure rules for public companies regarding cybersecurity incidents and related policies and procedures.  These rules could affect how companies structure cybersecurity programs.

Our governance and cyber teams published an article summarizing the proposed rules as applied to public companies generally and proposing some steps companies can consider taking now.  Our structured finance team has prepared this “ABS supplement” to that underlying article, summarizing how the proposed rules would apply to asset-backed issuers more particularly, as well as some of the shortcomings of the proposed rules as applied to asset-backed issuers.  We encourage you to read this ABS supplement together with the underlying article.

The proposed rules fall into two categories:

1.   Incident Reporting:  Disclosure of material cybersecurity incidents in Current Reports on Form 8-K, pursuant to proposed new Item 1.05 to Form 8-K; and

2.   Periodic disclosure of cybersecurity risk management, strategy, and governance:  Disclosure of a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing those policies and procedures, the board of directors’ cybersecurity expertise and oversight of cybersecurity risk, and updates about previously reported material cybersecurity incidents.  These disclosure requirements are proposed to be codified in new Items 106 and 407(j) to Regulation S-K, with corresponding proposed changes to Form 10-K and Form 10-Q to require that these new disclosures be included in those periodic reports.

The proposed rules would also require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

The proposed rules are subject to a comment period of at least 60 days, which could be longer if publication in the Federal Register is substantially delayed.

Application of Proposed Disclosure Framework to Asset-Backed Issuers

On its face, the proposed disclosure rules apply to “registrants” and would, therefore, apply to corporate issuers and asset-backed issuers alike, though the proposed rules would include an exception for a narrow subset of these disclosures relating to certain governance matters in cases where the asset-backed issuer does not have any executive officers or directors.

The proposed disclosure framework does not, however, appear to have been fully fleshed out for asset-backed issuers.  For example –

  • Under Regulation AB, the term “asset-backed issuer” is defined as “[t]he depositor for the asset-backed securities acting solely in its capacity as depositor to the issuing entity.” See Item 1101(b) of Regulation AB, Rule 191 under the Securities Act of 1933, and Rule 3b-19 under the Securities Exchange Act of 1934.

    The depositor is, however, often a special purpose vehicle whose activities are typically limited to receiving or purchasing and transferring or selling the pool assets to the issuing entity in connection with one or more securitization transactions.  As the depositor neither holds the pool assets nor issues the asset-backed securities supported by that asset pool, it would seem that the SEC may have intended the focus of its proposed disclosure rules to be on the issuing entity rather than on the asset-backed issuer.

  • Even if the SEC did intend to apply its proposed disclosure rules to the issuing entity, that entity is also a special purpose vehicle whose activities are limited to “passively owning or holding the pool of assets, issuing the asset-backed securities supported or serviced by those assets, and other activities reasonably incidental thereto.” See Item 1101(c)(2)(ii) of Regulation AB.

    As a passive special purpose vehicle with no operations or business, the proposed disclosure rules would not seem to be any more relevant to the issuing entity than they would be to the depositor.  If the SEC were nonetheless intent on applying its proposed disclosure rules in the context of asset-backed securitization, a more appropriate focus might be on another material transaction party, such as the servicer of the pool assets, which is the subject of specific disclosure requirements under Item 1108 of Regulation AB.

  • The proposed rule and form changes appear to be focused almost exclusively on corporate issuers that have operations and businesses, rather than on asset-backed issuers that have no such operations or businesses. For example, the proposed rules –

    • define “cybersecurity incident” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein” [emphasis added];
    • define “information systems” by reference to “information resources, owned or used by the registrant” [emphasis added];
    • provide for certain disclosures about the issuer’s risk management, strategy, and governance, such as disclosing the role cybersecurity plays in a company’s strategy, financial planning, and capital allocation; and
    • require that the issuer’s periodic filings reflect any “material changes, additions, or updates” to previously-reported cybersecurity incidents, but the SEC is proposing conforming revisions only to Forms 10-Q and 10-K, not to Form 10-D.

If the proposed disclosure framework is to apply in the context of asset-backed securitization, it will require significant revision first.  The proposed rules would need to be revised to identify the securitization transaction party or parties whose vulnerabilities to cybersecurity incidents, and whose cybersecurity risk management, strategy and governance, could be material to investors in asset-backed securities.