June 30, 2023
On June 13, 2023, in its updated rulemaking agenda for Spring 2023, the Securities and Exchange Commission (“SEC”) indicated a goal of October 2023 for the adoption of proposed cybersecurity rules applicable to public companies and registered investment advisers and funds. The two rule proposals were issued by the SEC at the beginning of 2022 to address cybersecurity governance and cybersecurity incident disclosure, and the SEC had previously targeted adoption by no later than April 2023. Although the “Reg Flex” agenda is not binding and target dates frequently are missed or further delayed, the Spring agenda indicates that cybersecurity rulemakings remain a top, near-term priority for the SEC.
The Proposed Rules
Publicly Traded Companies
In March 2022, the SEC proposed new rules under the Securities Exchange Act of 1934 (the “Exchange Act”), titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Exchange Act Proposal”). If adopted in its proposed form, the Exchange Act Proposal would require standardized disclosures regarding specific aspects of a company’s cybersecurity risk management, strategy, and governance. The Exchange Act Proposal also would require reporting on material cybersecurity incidents within four business days of a company’s materiality determination and periodic disclosures regarding, among other things, a company’s policies and procedures to identify and manage cybersecurity risk, oversight of cybersecurity by the board of directors and management, and updates to previously disclosed cybersecurity incidents.
Registered Investment Advisers and Funds
In February 2022, the SEC proposed new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940, titled “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies“ (the “RIA Proposal”). If adopted in its proposed form, the RIA Proposal would require both registered investment advisers and investment companies to adopt and implement written cybersecurity policies and procedures to address cybersecurity risk. The RIA Proposal would also require registered investment advisers to report significant cybersecurity incidents affecting the investment adviser or the funds it advises to the SEC, and would impose a new recordkeeping policy and internal review requirements related to cybersecurity.
In addition to the two proposals described above, the SEC has also proposed a cybersecurity rule for broker-dealers, clearing agencies, and other security market participants, but final action on this rule proposal is not expected until April 2024.
As discussed in our prior client alert on the Exchange Act Proposal, the SEC’s proposals were controversial, and many of the comments submitted on the proposals were critical of both the prompt incident reporting standard and prescriptive disclosures on board oversight and director cybersecurity expertise. Since that time, the SEC has adopted a number of rules substantially as proposed, but has significantly revised other rule initiatives in response to commenter concerns, and has also taken varied approaches with respect to new rules’ effective dates. As a result, it is difficult to predict what form the SEC’s final rules will take, and how soon companies will need to adapt their disclosures. Our prior client alert lists a number of actions companies can take in preparation for the final rules, and our recent article offers additional practical guidance given the SEC’s increased enforcement focus on cyber disclosures.
The following Gibson Dunn attorneys assisted in preparing this update: Cody Poplin, Matthew Dolloff, Sheldon Nagesh, Nicholas Whetstone, Stephenie Gosnell Handler, Vivek Mohan, Elizabeth Ising, Ronald Mueller, and Lori Zyskowski.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Data Innovation or Securities Regulation and Corporate Governance practice groups:
Privacy, Cybersecurity and Data Innovation Group:
S. Ashlie Beringer – Palo Alto (+1 650-849-5327, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202-955-8505, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
Vivek Mohan – Palo Alto (+1 650-849-5345, [email protected])
Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
James J. Moloney – Orange County (+1 949-451-4343, [email protected])
Ron Mueller – Washington, D.C. (+1 202-955-8671, [email protected])
Lori Zyskowski – New York (+1 212-351-2309, [email protected])
Investment Funds Group:
Jennifer Bellah Maguire – Los Angeles (+1 213-229-7986, [email protected])
Shukie Grossman – New York (+1 212-351-2369, [email protected])
Edward D. Sopher – New York (+1 212-351-3918, [email protected])
© 2023 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.