On March 9, the U.S. Securities and Exchange Commission (SEC) proposed rule amendments1 that, if adopted, would impose significant new cybersecurity-related disclosure obligations on U.S. reporting companies2, including requirements to both file current reports with the SEC about material cybersecurity incidents as well as provide disclosure regarding cybersecurity incidents, risk management, strategy and governance in periodic reports. However, most of the proposed amendments would not apply to Canadian companies that report under the multijurisdictional disclosure system (MJDS).
The SEC previously issued guidance in 2011 and 20183 regarding U.S. reporting companies’ cybersecurity-related disclosure obligations. In the proposing release, the SEC noted that although disclosures in these areas generally have improved since this guidance was issued, disclosure practices have been inconsistent.
What you need to know
If adopted, the proposed rules would introduce requirements for U.S. reporting companies to file current reports with the SEC about material cybersecurity incidents. The SEC has defined a “cybersecurity incident” as an unauthorized occurrence on or conducted through a company’s information systems4 that jeopardizes the confidentiality, integrity, or availability of those information systems or “any information residing therein”. With respect to what constitutes a “material” cybersecurity incident, the SEC is proposing to use the same materiality standard that generally applies under U.S. securities laws in other contexts—whether there is a substantial likelihood that a reasonable investor would consider it important and whether such information would significantly alter the total mix of information made available.
Form 8-K, which is the form of current report typically filed with the SEC by U.S. domestic reporting companies, would be amended to require disclosure about a cybersecurity incident within four business days after the company determined that the incident was material, which may be later than the date the issuer became aware of the incident. Form 8-K would also require the company to make such a materiality determination “as soon as reasonably practicable after discovery of the incident”. The company would be required to disclose when the incident occurred and whether it was still ongoing, and then briefly describe the incident and its scope. It would also be required to disclose the incident’s impact on the company’s operations, whether any data was stolen, altered or accessed, and the company’s remediation efforts.
Form 6-K, which is the form of current report that foreign private issuers (including MJDS issuers) furnish to the SEC in lieu of Form 8-K, would be amended to add “material cybersecurity incidents” as an item that might trigger a filing requirement to the extent such disclosure was made pursuant to home country requirements5. Consistent with other disclosure requirements set out in Form 6-K, the proposed amendments to Form 6-K do not specify whether or when a foreign private issuer must report a material cybersecurity incident or what should be disclosed about such incidents. Instead, the form and content of the cybersecurity incident disclosure that would be attached to the Form 6-K generally would be determined by home country disclosure requirements.
U.S. reporting companies other than MJDS issuers also would have to include in their periodic reports on Forms 10-Q and 10-K (U.S. domestic reporting companies) and Form 20-F (foreign private issuers) any material changes, additions or updates regarding any cybersecurity incidents previously reported on Form 8-K or Form 6-K that occurred during the reporting period (including information about remediation). Disclosure would also be required in these reports when a series of previously undisclosed, individually immaterial cybersecurity incidents became material in the aggregate.
Cybersecurity risk management, strategy and governance
U.S. reporting companies also would be required to include disclosure in their periodic reports on Forms 10-K and 10-Q (U.S. domestic reporting companies) and Form 20-F (foreign private issuers) about: 1) their policies and procedures to identify and manage cybersecurity risks including whether they consider cybersecurity risks as part of their business strategy, financial planning and capital allocation; and 2) the board of directors’ oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Notably, these proposed rules would not apply to MJDS issuers.
In addition, U.S. domestic reporting companies (but not MJDS issuers or other foreign private issuers) would have to include disclosure about their board’s cybersecurity expertise in their proxy statements or information circulars.
The SEC is not proposing any changes to Form 40-F, which governs the annual reports filed by MJDS issuers with the SEC, but is seeking comment on whether it should require MJDS issuers to comply with cybersecurity-related disclosure requirements in the same manner as Form 10-K and 20-F filers.
Canadian securities laws currently do not impose any cybersecurity-specific disclosure requirements on reporting issuers, but the Canadian Securities Administrators have published guidance outlining their expectations regarding reporting issuers’ disclosures in respect of material cybersecurity incidents and risks and related mitigation strategies6.
In this bulletin, “U.S. reporting company” means any domestic or foreign company that has a class of voting equity securities registered under Section 12 of the Exchange Act. This would include all NYSE and Nasdaq-listed companies, as well as certain other companies that are required to register under Section 12(g) of the Exchange Act because they have more than a prescribed number of shareholders.
The SEC is proposing to define “information systems” to encompass “information resources” owned or used by the U.S. reporting company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the company’s information to maintain or support the company’s operations.
Specifically, the SEC has proposed to include “cybersecurity incidents” as an additional specified matter that may be reportable on Form 6-K to the extent that it constitutes information that the company: “(1) makes or is required to make public under the laws of its jurisdiction of incorporation, (2) files, or is required to file, under the rules of any stock exchange, or (3) otherwise distributes to its securityholders”; and is material with respect to the issuer and its subsidiaries. See General Instruction B of Form 6-K.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.