On June 13, 2023, the Securities and Exchange Commission (“SEC”) published its Spring 2023 rulemaking agenda that delayed finalizing the proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and proposed rule on Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies until at least October 2023. The proposed rules were originally intended to be finalized in April 2023.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies. This is yet another delay for the SEC’s proposed rule for public companies, which was originally published in March 2022. Initially, the SEC sought public comment on the proposed rule through May 9, 2022, but then initiated an additional comment period from October 7, 2022 until November 1, 2022. The proposed rule included sweeping changes to its cybersecurity reporting rules for public companies, subject to the Security Exchange Act, as we previously highlighted. Among other prescriptive cybersecurity requirements, if enacted, the new rules would require covered public companies to:
- Report material cybersecurity incidents on Form 8-K within four business days of a materiality determination;
- Routinely update investors on such incidents in quarterly and annual reports; and
- Periodically disclose cyber-related governance information, including the board’s oversight and management’s implementation of cyber-related risk management policies and procedures.
Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies. The SEC originally proposed the Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies in February 2022, which stipulated that registered investment advisors and investment companies must, among other things:
- Adopt and implement documented, risk-based cybersecurity policies and procedures;
- Annually review and document the design and effectiveness of their cybersecurity program; and
- Report cyber incidents to the SEC within 48 hours of reasonably concluding that a cyber incident occurred.
The SEC is also expected to finalize three recently proposed cybersecurity requirements that (1) amends Regulation S-P, (2) amends Regulation SCI, and (3) establishes a new Cybersecurity Risk Management Rule for broker-dealers, clearing agencies and other SEC-regulated entities. These proposed rules have been pushed back even further, and are now slated for April 2024.
Alston & Bird’s Securities Litigation and Privacy, Cyber & Data Strategy teams continue to monitor developments of the SEC’s proposed Cybersecurity rules.