SEC Exempts Asset-Backed Issuers from New Cybersecurity Rules

SEC exemption is based on industry advocacy spearheaded and crafted by Orrick partner Mike Mitchell

4 minute read | July.27.2023

The Securities and Exchange Commission (“SEC”) adopted new rules on July 26, 2023, to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.
In addition to requiring current disclosure about material cybersecurity incidents, the final rules require periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.
The final rules take effect 30 days after their date of publication in the Federal Register.

Background

The SEC issued proposed rules on March 9, 2022 that, on their face, would have applied to corporate issuers and asset-backed issuers alike, though they would have included an exception for a narrow subset of the new disclosures relating to certain governance matters in cases where the asset-backed issuer did not have any executive officers or directors. In an effort spearheaded and led by Orrick partner Mike Mitchell, the Structured Finance Association (“SFA”) organized a task force to assess and comment on the proposed rules. SFA submitted their comment letter on the proposed rules on May 9, 2022.

A central theme of SFA’s comment letter was that the framework proposed by the SEC did not take into account key aspects of ABS transactions that differentiate them from corporate securities transactions, including that asset-backed issuers are typically limited purpose, passive special purpose vehicles with limited activities, no operations or businesses, and no information systems. SFA also generally opposed applying the proposed rules to other transaction parties (such as the sponsor, servicer, originator, or trustee) because such parties are neither issuers of, nor obligors on, an asset-backed security, and because it is unlikely that such a transaction party’s financial performance or position would be affected by a cybersecurity incident to such an extent as to materially impede its ability to perform its duties and responsibilities to the securitization transaction.^[1]

Exemption for Asset-Backed Issuers and Related Considerations

The SEC was persuaded by SFA’s advocacy and has exempted asset-backed issuers from the final rules. In particular, the SEC agreed that asset-backed issuers are typically special purpose vehicles whose activities are limited to receiving or purchasing, and transferring or selling, assets to an issuing entity and, accordingly, do not own or use information systems, whereas the final rules are premised on an issuer’s ownership or use of information systems. The SEC indicates that it may consider cybersecurity disclosure rules specific to asset-backed securities at a later date.

While asset-backed issuers are exempt from the final rules, the SEC and its staff have issued interpretive guidance concerning the application of existing disclosure and other requirements under the federal securities laws to cybersecurity risks and incidents. In 2011, the staff of the SEC’s Division of Corporation Finance issued interpretive guidance providing the Division’s views concerning operating companies’ disclosure obligations relating to cybersecurity risks and incidents. In 2018, the SEC issued additional interpretive guidance reinforcing and expanding upon the 2011 staff guidance to assist operating companies in determining when these disclosure obligations may arise under existing disclosure rules.

While the SEC’s interpretive guidance addressed these disclosure obligations for operating companies, asset-backed issuers have adapted that guidance to their transactions when assessing the materiality of cybersecurity risks and incidents while preparing disclosure required in registration statements and prospectuses under the Securities Act of 1933.

Many asset-backed issuers include enhanced disclosure relating to cybersecurity risks and incidents, based on general principles of materiality as applied in the context of an ABS transaction.
While these disclosures vary in their level of detail, they typically address, among other things, how cybersecurity risks and incidents may disrupt the servicing and performance of the pool assets.
Depending on the materiality of a cybersecurity incident, this disclosure may address the cause, scope, and impact of the incident, as well as remedial steps the servicer has taken or is taking in response to the incident.

Asset-backed issuers should continue to assess these risks and incidents notwithstanding their exemption from these final rules.

If you have any inquiries or insights, or would like to explore this topic further, please reach out to Mike Mitchell, or any other member of our Structured Finance team.

[1] SFA did acknowledge that cybersecurity disclosure rules might make sense for servicers of asset-backed securities, but advocated that any new rules should be tailored to such entities, rather than applying rules developed for corporate issuers.

Authors

Michael Mitchell Partner, Structured Finance, Asset‐Backed Securities

Washington, D.C.

See my bio

D:+1 202 339 8456
E: [email protected]

Practice:

Finance Sector
Structured Finance
Asset‐Backed Securities
Legislative/Regulatory Participation
Fintech

vCard

See full bio

Michael Mitchell Partner

Washington, D.C.

Described by Chambers USA as having “an in-depth understanding of securities regulations” and with clients commenting that “his knowledge base is superior,” Mike has extensive experience representing issuers and underwriters in consumer asset-backed securitization transactions. Mike has one of the top credit card securitization practices in the market and he also advises on a broad range of ABS, including transactions supported by consumer loans, motor vehicle loans and leases, dealer floorplan receivables, student loans, and residential and commercial mortgages.

Mike serves as counsel to financial institutions in capital markets and debt financing transactions and regularly advises clients on application of the federal securities laws and Dodd-Frank implementing regulations in the structured finance market.

Mike has served as outside counsel to the Structured Finance Association, and previously to the American Securitization Forum (ASF). He has drafted industry comment letters on Regulation AB (2004), Regulation AB2 (2010/2011), the Prohibition on Material Conflicts of Interest (2012), and Cybersecurity Risk and Incident Disclosure Rules (2022). Mike has also served as Chair of the Structured Finance Association's Revolving Master Trust Working Group in connection with its industry advocacy on Risk Retention.

Mike joined Orrick in 1997 and was a partner in Orrick’s Structured Finance Group until 2012. Prior to rejoining the firm in 2021, Mike was a partner in Chapman and Cutler’s Asset Securitization Department. He has also served as a Special Counsel with the Securities and Exchange Commission in the Office of the Chief Counsel for the Division of Corporation Finance. At the SEC, Mike had extensive involvement in oversight of the structured finance market and worked on a proposal—a precursor to Regulation AB—to develop disclosure and reporting guidelines for asset-backed issuers.

Related Lawyers

Robert Moyle Partner, Structured Finance, Asset‐Backed Securities

New York

See my bio

D:+1 212 506 5189
E: [email protected]

Practice:

Finance Sector
Structured Finance
Asset‐Backed Securities
Residential Mortgage‐Backed Securities
Derivatives
Fintech
Automotive Technology & Mobility

vCard

See full bio

Robert Moyle Partner

New York

Rob has experience with a wide variety of asset classes, including credit and charge card receivables, auto loans and leases, dealer floorplan receivables, consumer and small business loans, student loans, tender option bonds and residential mortgages. He represents a variety of market participants, including issuers, sponsors, underwriters, placement and remarketing agents, lenders, borrowers and liquidity providers. Rob also advises clients on the application of securities laws and other financial industry regulations, including Regulation AB II and the rules and regulations promulgated under the Dodd-Frank Act.

Rob joined Orrick in 2005. He serves as Hiring Partner in the New York Office and is a member of the firm’s Professional Development Committee.

Al Sawyers Partner, Structured Finance, Asset‐Backed Securities

New York

See my bio

D:+1 212 506 5041
E: [email protected]

Practice:

Finance Sector
Structured Finance
Asset‐Backed Securities
Derivatives
Swaps and Other Hedges
Fintech

vCard

See full bio

Al Sawyers Partner

New York

Al represents issuers and underwriters in the issuance of credit-linked notes, collateralized bond obligations, synthetic convertible bonds and synthetic money market eligible securities. He also works with clients entering into various swap agreements, such as interest rate, credit default, currency, and equity swaps, and has authored alerts on various financial industry-related topics, including the Dodd-Frank Act.

Al has been ranked by Chambers and Partners both globally and nationally in the structured products category. Legal500 has noted Al for his work in structured finance, quoting a client who stated that he has "impressive expertise in all facets of securitization in general, which is immensely helpful when we are working on complex transactions." The International Financial Law Review has also recognized Al for his work in structured finance and securitization. Euromoney notes him as an expert in Banking, Financial and Transactional Law: Structured Finance and Securitization.

Alan Knoll Partner, Asset‐Backed Securities, Debt Capital Markets

New York

See my bio

D:+1 212 506 5077
E: [email protected]

Practice:

Finance Sector
Asset‐Backed Securities
Debt Capital Markets
Equity Capital Markets
Legislative/Regulatory Participation
Structured Finance
Fintech
Automotive Technology & Mobility

vCard

See full bio

Alan Knoll Partner

New York

Alan's practice involves advising issuers, underwriters, purchasers and Boards of Directors on complex financial transactions in both publicly registered offerings and private placements. He has extensive experience with the securitization of a variety of assets, including credit cards, charge cards, consumer loans, auto loans, auto leases, dealer floorplans, aircraft and aircraft engines, and has been involved in the development of a number of novel securitization structures. Alan also has proficiency in general corporate matters, including SEC reporting requirements.

Alan is co-chair of Orrick’s Opinion Committee and is a member of the firm’s Risk Management Committee and Conflicts Resolution Committee. He has also served as a member of the Board of Her Justice, an organization which provides free legal services to low-income women in New York City who suffer from abuse, and is a recipient of the Her Justice Commitment to Justice Award.