The U.S. Securities and Exchange Commission (SEC) has adopted final rules1 regarding cybersecurity-related disclosure obligations for U.S. public reporting companies2. The rules include requirements to file current reports with the SEC about material cybersecurity incidents and provide disclosure regarding cybersecurity risk management, strategy and governance in annual reports.
The new requirements to report cybersecurity-related incidents will primarily affect U.S. domestic reporting companies (i.e., those required to file current reports on Form 8-K). It will affect FPIs, including Canadian companies that report under the MJDS, only insofar as Form 6-K will include “material cybersecurity incidents” among the types of items that may trigger the furnishing of a Form 6-K (i.e., it does not create a disclosure obligation independent of what was previously required by Form 6-K).
The annual reporting requirements relating to cybersecurity risk management, strategy and governance will affect U.S. reporting companies that file annual reports on Form 10-K and FPIs that file annual reports on Form 20-F but will not be required for annual reports on Form 40-F for Canadian companies relying on the MJDS.
The new cybersecurity rules mark the third time that the SEC has addressed cybersecurity disclosure with previous guidance coming in 2011 and 20183. The new rules aim to standardize U.S. reporting companies’ cybersecurity-related disclosure obligations to ensure that the disclosure is consistent, comparable and made in a decision-useful manner.
The final rules will become effective on September 5, 2023. The new Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The new Form 8-K and Form 6-K requirements will apply beginning December 18, 2023. Later compliance dates will apply for smaller reporting companies4.
The new rules introduce requirements for U.S. reporting companies to file periodic reports with the SEC about material cybersecurity incidents. The SEC has defined a “cybersecurity incident” as an unauthorized5 occurrence, or a series of related unauthorized occurences, on or conducted through a company’s information systems6 that jeopardizes the confidentiality, integrity, or availability of those information systems or any information residing therein.
The SEC is using the same materiality standard that generally applies under U.S. securities laws in other contexts to determine what constitutes a “material” cybersecurity incident under the new disclosure rules—that is, whether there is a substantial likelihood that a reasonable investor would consider it important and whether such information would significantly alter the total mix of information made available. This could, for example, include qualitative material impact, such as reputational harm, in addition to a strictly financial or quantitative materiality analysis.
Form 8-K has been amended to add Item 1.05, which requires disclosure of a material cybersecurity incident within four business days after the company determined that the incident was material, which may be later than the date the issuer became aware of the incident. Item 1.05 of Form 8-K requires the company to make such a materiality determination “without unreasonable delay” following the discovery of a cybersecurity incident.
Reporting companies will be required to provide the following for Form 8-K:
Form 6-K, which is the form of current report that FPIs (including MJDS issuers) furnish to the SEC in lieu of Form 8-K, has been amended to add “material cybersecurity incidents” as an item that might trigger a filing requirement to the extent such information was disclosed in a foreign jurisdiction, to any stock exchange or to its securityholders7. Consistent with other disclosure requirements set out in Form 6-K, the amendments to Form 6-K do not specify what should be disclosed about such incidents. Instead, the form and content of the cybersecurity incident disclosure that would be attached to the Form 6-K generally would be determined by home country disclosure requirements.
The final rules on cybersecurity-related disclosure obligations require U.S. reporting companies to include disclosure in their annual reports on Form 10-K (U.S. domestic reporting companies) and Form 20-F (FPIs) regarding both cybersecurity risk management and strategy, and cybersecurity governance.
The above-mentioned new rules regarding cybersecurity governance, strategy and risk management do not apply to MJDS issuers filing annual reports on Form 40-F.
The SEC did not adopt additional prescriptive cybersecurity disclosure requirements to Form 40-F, which governs the annual reports filed by MJDS issuers with the SEC, given that the MJDS generally permits eligible issuers in Canada to comply with Canadian disclosure rather than the SEC’s registration and disclosure requirements.
Canadian securities laws currently do not impose any cybersecurity-specific disclosure requirements on reporting issuers, but the Canadian Securities Administrators have published guidance outlining their expectations regarding reporting issuers’ disclosures in respect of material cybersecurity incidents and risks and related mitigation strategies8.