SEC proposes cybersecurity disclosure and reporting requirements for public companies

On March 9, the U.S. Securities and Exchange Commission (SEC) proposed rule amendments¹ that, if adopted, would impose significant new cybersecurity-related disclosure obligations on U.S. reporting companies², including requirements to both file current reports with the SEC about material cybersecurity incidents as well as provide disclosure regarding cybersecurity incidents, risk management, strategy and governance in periodic reports. However, most of the proposed amendments would not apply to Canadian companies that report under the multijurisdictional disclosure system (MJDS).

The SEC previously issued guidance in 2011 and 2018³ regarding U.S. reporting companies’ cybersecurity-related disclosure obligations. In the proposing release, the SEC noted that although disclosures in these areas generally have improved since this guidance was issued, disclosure practices have been inconsistent.

What you need to know

• Cybersecurity incidents
  • If adopted, the proposed rules would introduce requirements for U.S. reporting companies to file current reports with the SEC about material cybersecurity incidents. The SEC has defined a “cybersecurity incident” as an unauthorized occurrence on or conducted through a company’s information systems⁴ that jeopardizes the confidentiality, integrity, or availability of those information systems or “any information residing therein”. With respect to what constitutes a “material” cybersecurity incident, the SEC is proposing to use the same materiality standard that generally applies under U.S. securities laws in other contexts—whether there is a substantial likelihood that a reasonable investor would consider it important and whether such information would significantly alter the total mix of information made available.
  • Form 8-K, which is the form of current report typically filed with the SEC by U.S. domestic reporting companies, would be amended to require disclosure about a cybersecurity incident within four business days after the company determined that the incident was material, which may be later than the date the issuer became aware of the incident. Form 8-K would also require the company to make such a materiality determination “as soon as reasonably practicable after discovery of the incident”. The company would be required to disclose when the incident occurred and whether it was still ongoing, and then briefly describe the incident and its scope. It would also be required to disclose the incident’s impact on the company’s operations, whether any data was stolen, altered or accessed, and the company’s remediation efforts.
  • Form 6-K, which is the form of current report that foreign private issuers (including MJDS issuers) furnish to the SEC in lieu of Form 8-K, would be amended to add “material cybersecurity incidents” as an item that might trigger a filing requirement to the extent such disclosure was made pursuant to home country requirements⁵. Consistent with other disclosure requirements set out in Form 6-K, the proposed amendments to Form 6-K do not specify whether or when a foreign private issuer must report a material cybersecurity incident or what should be disclosed about such incidents. Instead, the form and content of the cybersecurity incident disclosure that would be attached to the Form 6-K generally would be determined by home country disclosure requirements.
  • U.S. reporting companies other than MJDS issuers also would have to include in their periodic reports on Forms 10-Q and 10-K (U.S. domestic reporting companies) and Form 20-F (foreign private issuers) any material changes, additions or updates regarding any cybersecurity incidents previously reported on Form 8-K or Form 6-K that occurred during the reporting period (including information about remediation). Disclosure would also be required in these reports when a series of previously undisclosed, individually immaterial cybersecurity incidents became material in the aggregate.
• Cybersecurity risk management, strategy and governance
  • U.S. reporting companies also would be required to include disclosure in their periodic reports on Forms 10-K and 10-Q (U.S. domestic reporting companies) and Form 20-F (foreign private issuers) about: 1) their policies and procedures to identify and manage cybersecurity risks including whether they consider cybersecurity risks as part of their business strategy, financial planning and capital allocation; and 2) the board of directors’ oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Notably, these proposed rules would not apply to MJDS issuers.
  • In addition, U.S. domestic reporting companies (but not MJDS issuers or other foreign private issuers) would have to include disclosure about their board’s cybersecurity expertise in their proxy statements or information circulars.
• The SEC is not proposing any changes to Form 40-F, which governs the annual reports filed by MJDS issuers with the SEC, but is seeking comment on whether it should require MJDS issuers to comply with cybersecurity-related disclosure requirements in the same manner as Form 10-K and 20-F filers.
• Canadian securities laws currently do not impose any cybersecurity-specific disclosure requirements on reporting issuers, but the Canadian Securities Administrators have published guidance outlining their expectations regarding reporting issuers’ disclosures in respect of material cybersecurity incidents and risks and related mitigation strategies⁶.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.