August 17, 2023Calculating...

SEC adopts final rules on cybersecurity disclosure requirements for U.S. public companies

The U.S. Securities and Exchange Commission (SEC) has adopted final rules1 regarding cybersecurity-related disclosure obligations for U.S. public reporting companies2. The rules include requirements to file current reports with the SEC about material cybersecurity incidents and provide disclosure regarding cybersecurity risk management, strategy and governance in annual reports.

What you need to know

  • Affected U.S reporting companies. The new annual reporting requirements will primarily affect U.S. domestic reporting companies and foreign private issuers (FPIs), but will not impose independent reporting obligations on Canadian companies that report under the multijurisdictional disclosure system (MJDS).
  • Rules and reporting dates. The final rules will become effective on September 5, 2023; new disclosures requirements on Form 10-K and Form 20-F will be due beginning with annual reports for fiscal years ending on or after December 15, 2023; and amendments to Form 8-K and Form 6-K requirements will apply beginning on December 18, 2023.
  • Canadian impact. The SEC did not adopt additional prescriptive cybersecurity disclosure requirements for Form 40-F, which is applicable to MJDS issuers, as eligible issuers in Canada are generally permitted to comply with Canadian disclosure rather than the SEC’s registration and disclosure requirements. Form 6-K, which does apply to MJDS issuers, is amended only to provide that home country (i.e., Canadian) disclosures regarding material cybersecurity incidents should be furnished on Form 6-K.

Who is required to disclose?

The new requirements to report cybersecurity-related incidents will primarily affect U.S. domestic reporting companies (i.e., those required to file current reports on Form 8-K). It will affect FPIs, including Canadian companies that report under the MJDS, only insofar as Form 6-K will include “material cybersecurity incidents” among the types of items that may trigger the furnishing of a Form 6-K (i.e., it does not create a disclosure obligation independent of what was previously required by Form 6-K).

The annual reporting requirements relating to cybersecurity risk management, strategy and governance will affect U.S. reporting companies that file annual reports on Form 10-K and FPIs that file annual reports on Form 20-F but will not be required for annual reports on Form 40-F for Canadian companies relying on the MJDS.

Final rules (and reporting) effective dates

The new cybersecurity rules mark the third time that the SEC has addressed cybersecurity disclosure with previous guidance coming in 2011 and 20183. The new rules aim to standardize U.S. reporting companies’ cybersecurity-related disclosure obligations to ensure that the disclosure is consistent, comparable and made in a decision-useful manner.

The final rules will become effective on September 5, 2023. The new Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The new Form 8-K and Form 6-K requirements will apply beginning December 18, 2023. Later compliance dates will apply for smaller reporting companies4.

New disclosure requirements

Periodic reporting of cybersecurity incidents

The new rules introduce requirements for U.S. reporting companies to file periodic reports with the SEC about material cybersecurity incidents. The SEC has defined a “cybersecurity incident” as an unauthorized5 occurrence, or a series of related unauthorized occurences, on or conducted through a company’s information systems6 that jeopardizes the confidentiality, integrity, or availability of those information systems or any information residing therein.

The SEC is using the same materiality standard that generally applies under U.S. securities laws in other contexts to determine what constitutes a “material” cybersecurity incident under the new disclosure rules—that is, whether there is a substantial likelihood that a reasonable investor would consider it important and whether such information would significantly alter the total mix of information made available. This could, for example, include qualitative material impact, such as reputational harm, in addition to a strictly financial or quantitative materiality analysis.

Filing periodic incidents to the SEC: Form 8-K and Form 6-K

Form 8-K has been amended to add Item 1.05, which requires disclosure of a material cybersecurity incident within four business days after the company determined that the incident was material, which may be later than the date the issuer became aware of the incident. Item 1.05 of Form 8-K requires the company to make such a materiality determination “without unreasonable delay” following the discovery of a cybersecurity incident.

Reporting companies will be required to provide the following for Form 8-K:

  • The company is required to disclose the material aspects of the nature, scope and timing of the incident. The company is also required to disclose the incident’s material impact (or reasonably likely material impact) on the company, including its financial condition and results of operations.
  • The final rules include an exception for disclosures of cybersecurity incidents that may pose a threat to national security or public safety, upon determination by the U.S. Attorney General.
  • To the extent that the information called for by Item 1.05(a) of Form 8-K is not determined or is unavailable at the time of the required filing, the final rules require the company to include a statement to this effect in the Form 8-K and then file an amendment to its Form 8-K filing containing such information within four business days after the company, without unreasonable delay, determines such information or within four business days after such information becomes available.

Form 6-K, which is the form of current report that FPIs (including MJDS issuers) furnish to the SEC in lieu of Form 8-K, has been amended to add “material cybersecurity incidents” as an item that might trigger a filing requirement to the extent such information was disclosed in a foreign jurisdiction, to any stock exchange or to its securityholders7. Consistent with other disclosure requirements set out in Form 6-K, the amendments to Form 6-K do not specify what should be disclosed about such incidents. Instead, the form and content of the cybersecurity incident disclosure that would be attached to the Form 6-K generally would be determined by home country disclosure requirements.

Annual reporting of cybersecurity-related disclosures

The final rules on cybersecurity-related disclosure obligations require U.S. reporting companies to include disclosure in their annual reports on Form 10-K (U.S. domestic reporting companies) and Form 20-F (FPIs) regarding both cybersecurity risk management and strategy, and cybersecurity governance.

Cybersecurity risk management and strategy
  • Companies will now be required to describe the company’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a company should consider addressing, as applicable, the following non-exclusive list of disclosure items:
    • whether and how any such processes have been integrated into the company’s overall risk management system or processes;
    • whether the company engages assessors, consultants, auditors or other third parties in connection with any such processes; and
    • whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
  • Companies will also be expected to describe whether any risks from cybersecurity threats (including as a result of any previous cybersecurity incidents) have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition, and if so, how.
Cybersecurity governance
  • With respect to disclosure regarding cybersecurity governance under the final rules, companies will be required to describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, the company must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks. The final rules, however, do not require disclosure of cybersecurity expertise of individual board members.
  • Companies will also be expected to include disclosure on management’s role in assessing and managing the company’s material risks from cybersecurity threats. In providing such disclosure, a company would need to address, as applicable, the following non-exclusive list of disclosure items:
    • whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
    • the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents; and
    • whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

The above-mentioned new rules regarding cybersecurity governance, strategy and risk management do not apply to MJDS issuers filing annual reports on Form 40-F.

Impact of the SEC rules in Canada

The SEC did not adopt additional prescriptive cybersecurity disclosure requirements to Form 40-F, which governs the annual reports filed by MJDS issuers with the SEC, given that the MJDS generally permits eligible issuers in Canada to comply with Canadian disclosure rather than the SEC’s registration and disclosure requirements.

Canadian securities laws currently do not impose any cybersecurity-specific disclosure requirements on reporting issuers, but the Canadian Securities Administrators have published guidance outlining their expectations regarding reporting issuers’ disclosures in respect of material cybersecurity incidents and risks and related mitigation strategies8.


To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.
 

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now