The SEC's Proposed Cybersecurity Rules: Regulatory Delay Does Not Bless Standing By

Key Takeaways

• Since 2022, the U.S. Securities and Exchange Commission (SEC) has proposed several cybersecurity rules applicable to numerous regulated entities that, if adopted, would impose quick notification obligations and heightened disclosure requirements.

• Amid significant pushback during the public comment period, the SEC announced it would delay issuance of these rules, which are now expected to be finalized in October 2023 and April 2024.

• Because cybersecurity risks will continue to evolve more rapidly than the SEC’s public rulemaking process, public companies, investment advisers, broker-dealers, and other entities that may be impacted by these rules should not wait to address these risks, even in the face of regulatory uncertainty.

• After all, the SEC has already brought enforcements actions relating to cybersecurity incidents even in the absence of these proposed rules being finalized, and existing SEC and other regulatory frameworks already require baseline disclosure, notification, and safeguarding measures that these proposed SEC rules seek to enhance. SOURCE