On 26 July 2023, the US Securities and Exchange Commission (the “SEC“) adopted rules requiring registrants to disclose material cybersecurity incidents and certain information regarding their cybersecurity risk management, strategy, and governance. Under the final rules, foreign private issuers (“FPIs“) will be required to furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders. They will also be required in their annual report on Form 20-F to (i) describe the board of directors’ oversight of risks from cybersecurity threats and (ii) describe management’s role in assessing and managing material risks from cybersecurity threats. The SEC stated in the adopting release that “FPIs’ cybersecurity incidents and risks are not any less important to investors’ capital allocation than those of domestic registrants”.
Disclosure of Cybersecurity Incidents
Under the final rules, domestic registrants will be required to disclose on Form 8-K the material aspects of the nature, scope, and timing of a cybersecurity incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operation within four business days of determining that the incident is material. The adopting release reiterates that information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available. Registrants should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident, including reputational harm, impact on customer or vendor relationships, and possibility of litigation or regulatory investigations or actions.
A registrant will not be expected to disclose specific or technical information about its planned response to a cybersecurity incident or its cybersecurity systems, related networks and devices or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
With respect to FPIs, the final rules amend Form 6-K to add “material cybersecurity incidents” as a reporting topic. However, consistent with other Form 6-K disclosure items, FPIs are only required to disclose on Form 6-K cybersecurity incidents to the extent that they are required to disclose such incidents in their home jurisdiction. As a result, existing home-country obligations under market abuse or similar rules will continue to govern the cybersecurity reporting requirements of FPIs primarily, but the SEC’s guidance for what may constitute a “material” cybersecurity incident under Form 8-K is likely to be helpful in informing what may trigger disclosure in the home market. This may particularly be the case if an FPI’s peers or competitors who are US domestic registrants report their cybersecurity incidents in accordance with the SEC’s new rules under Form 8-K.
Disclosure of Cybersecurity Risk Management, Strategy and Governance
Under the final rules, Item 16K of Form 20-F will require FPIs to make the same type of disclosure, on Form 20-F, regarding cybersecurity risk management, strategy and governance as those required under Item 106 of Regulation S-K for domestic registrants.
- Risk Management and StrategyUnder the new risk management and strategy disclosures, the SEC expects that investors will be able to ascertain a registrant’s cybersecurity practices, including whether they have a risk assessment program in place, with sufficient detail for investors to understand the registrant’s cybersecurity risk profile.
Under Regulation S-K Item 106(b), disclosure will be required to describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. A registrant should address, as applicable, (i) whether and how the described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes; (ii) whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and (iii) whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
A registrant will also be required to describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
- GovernanceThe new governance disclosure requirements will require issuers to consider making changes to their disclosure controls and procedures to ensure that all cybersecurity incidents are reported up to management and the relevant board committees so that an appropriate assessment of materiality can be made regarding each incident.
Under Regulation S-K Item 106(c)(1), registrants will be required to describe the board of directors’ oversight of risks from cybersecurity threats, and, if applicable, identify any board committee or subcommittee responsible for such oversight and describe the processes by which the board or such committee is informed about such risks. Under Regulation S-K Item 106(c)(2), registrants will be required to describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. Item 106(c)(2) provides the following non-exclusive list of potential disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board ofdirectors or a committee or subcommittee of the board of directors.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. With respect to the Form 20-F disclosures, FPIs must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to the Form 6-K disclosures, FPIs must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
To discuss these new rules in further detail, please contact the members of the HSF team listed below.
Please find a related article here on the SEC recently applying an individual liability lens: US SEC moves against individual directors over SolarWinds nation state supply chain attack | Cyber and Data Security notes (hsfnotes.com)