Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that two previously-proposed cyber rules might not be approved until October 2023 (although the agenda’s timeframe is an estimate and the rules could be finalized sooner, or later). The proposed rules in question address disclosure requirements regarding cybersecurity governance and cybersecurity incidents at publicly traded companies and registered investment advisers and funds.
- Cybersecurity Risk Governance Rule for Public Companies: Proposed in March 2022, this proposed rule would require publicly traded companies to publicly disclose a cyber incident within four business days of determining that the incident is material and to provide disclosure in periodic reports about certain cybersecurity governance practices. The proposed rule has been subject to two comment periods; after the original comment period ended in May 2022, the SEC re-opened the comment period between October-November 2022.
- Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies: Proposed in February 2022, this proposed rule would require registered investment advisers and investment companies to adopt and implement “written cybersecurity policies and procedures reasonably designed to address cybersecurity risks.” The rule would also require advisers to “report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients” to the SEC as well as to implement certain recordkeeping practices. The proposed rule has also been subject to two comment periods; after the original comment period ended in April 2022, the SEC re-opened the comment period between March-May 2023.
The SEC is also considering multiple other rules that implicate cybersecurity considerations and are in various phases of comment and revision for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.