SEC Delays Finalized Cyber Rules Until October 2023

Based on updates to its rulemaking agenda that were released last week, the U.S. Securities and Exchange Commission (SEC) has delayed approval of two cybersecurity rules until at least October 2023. Both proposed rules were released by the agency in early 2022.

Cyber Rules for Public Companies

In March 2022, the SEC proposed rules on cybersecurity risk management, governance, and incident disclosure by public companies. If adopted, this proposed rule, which was subject to two comment periods, would require enhanced cybersecurity disclosures regarding cybersecurity incidents and risk management. To learn more about the proposed public company cyber rules, read our March 2022 Client Alert. Final action is not expected on this proposed rule until at least October 2023, as opposed to April 2023 as previously announced.

Cyber Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies

One month earlier, in February 2022, the SEC proposed rules for cybersecurity risk management for registered investment advisers (RIAs), registered investment companies, and business development companies. This proposed rule was also subject to two comment periods. If adopted, the proposed rule would impose on RIAs and other entities within its purview a duty to implement bespoke cybersecurity policies and procedures, to review these policies and procedures at least annually, and to prepare a written report documenting their review, among other things. To learn more about these proposed cybersecurity rules, read our February 2022 Client Alert. Final action is not expected on this proposed rule until at least October 2023.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved