SEC’s Proposed Cybersecurity Rules Delayed Yet Again

John Heflin, Kimberly Kiefer Peretti, Lance Taubin
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Alston & Bird

On June 13, 2023, the Securities and Exchange Commission (“SEC”) published its Spring 2023 rulemaking agenda that delayed finalizing the proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and proposed rule on Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies until at least October 2023.  The proposed rules were originally intended to be finalized in April 2023.

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies. This is yet another delay for the SEC’s proposed rule for public companies, which was originally published in March 2022.  Initially, the SEC sought public comment on the proposed rule through May 9, 2022, but then initiated an additional comment period from October 7, 2022 until November 1, 2022.  The proposed rule included sweeping changes to its cybersecurity reporting rules for public companies, subject to the Security Exchange Act, as we previously highlighted.  Among other prescriptive cybersecurity requirements, if enacted, the new rules would require covered public companies to:

  • Report material cybersecurity incidents on Form 8-K within four business days of a materiality determination;
  • Routinely update investors on such incidents in quarterly and annual reports; and
  • Periodically disclose cyber-related governance information, including the board’s oversight and management’s implementation of cyber-related risk management policies and procedures.

Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies. The SEC originally proposed the Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies in February 2022, which stipulated that registered investment advisors and investment companies must, among other things:

  • Adopt and implement documented, risk-based cybersecurity policies and procedures;
  • Annually review and document the design and effectiveness of their cybersecurity program; and
  • Report cyber incidents to the SEC within 48 hours of reasonably concluding that a cyber incident occurred.

The SEC is also expected to finalize three recently proposed cybersecurity requirements that (1) amends Regulation S-P, (2) amends Regulation SCI, and (3) establishes a new Cybersecurity Risk Management Rule for broker-dealers, clearing agencies and other SEC-regulated entities. These proposed rules have been pushed back even further, and are now slated for April 2024.

Alston & Bird’s Securities Litigation and Privacy, Cyber & Data Strategy teams continue to monitor developments of the SEC’s proposed Cybersecurity rules.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide