Last week, the SEC proposed new disclosure rules for public companies regarding cybersecurity incidents and related policies and procedures. These rules could affect how companies structure cybersecurity programs.
Our governance and cyber teams published an article summarizing the proposed rules as applied to public companies generally and proposing some steps companies can consider taking now. Our structured finance team has prepared this “ABS supplement” to that underlying article, summarizing how the proposed rules would apply to asset-backed issuers more particularly, as well as some of the shortcomings of the proposed rules as applied to asset-backed issuers. We encourage you to read this ABS supplement together with the underlying article.
The proposed rules fall into two categories:
1. Incident Reporting: Disclosure of material cybersecurity incidents in Current Reports on Form 8-K, pursuant to proposed new Item 1.05 to Form 8-K; and
2. Periodic disclosure of cybersecurity risk management, strategy, and governance: Disclosure of a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in…
