Canada: SEC Adopts Final Rules On Cybersecurity Disclosure Requirements For U.S. Public Companies

The U.S. Securities and Exchange Commission (SEC) has adopted final rules¹ regarding cybersecurity-related disclosure obligations for U.S. public reporting companies². The rules include requirements to file current reports with the SEC about material cybersecurity incidents and provide disclosure regarding cybersecurity risk management, strategy and governance in annual reports.

What you need to know

• Affected U.S reporting companies. The new annual reporting requirements will primarily affect U.S. domestic reporting companies and foreign private issuers (FPIs), but will not impose independent reporting obligations on Canadian companies that report under themultijurisdictional disclosure system (MJDS).
• Rules and reporting dates. The final rules will become effective on September 5, 2023; new disclosures requirements on Form 10-K and Form 20-F will be due beginning with annual reports for fiscal years ending on or after December 15, 2023; and amendments to Form 8-K and Form 6-K requirements will apply beginning on December 18, 2023.
• Canadian impact. The SEC did not adopt additional prescriptive cybersecurity disclosure requirements for Form 40-F, which is applicable to MJDS issuers, as eligible issuers in Canada are generally permitted to comply with Canadian disclosure rather than the SEC's registration and disclosure requirements. Form 6-K, which does apply to MJDS issuers, is amended only to provide that home country (i.e., Canadian) disclosures regarding material cybersecurity incidents should be furnished on Form 6-K.

Who is required to disclose?

The new requirements to report cybersecurity-related incidents will primarily affect U.S. domestic reporting companies (i.e., those required to file current reports on Form 8-K). It will affect FPIs, including Canadian companies that report under the MJDS, only insofar as Form 6-K will include "material cybersecurity incidents" among the types of items that may trigger the furnishing of a Form 6-K (i.e., it does not create a disclosure obligation independent of what was previously required by Form 6-K).

The annual reporting requirements relating to cybersecurity risk management, strategy and governance will affect U.S. reporting companies that file annual reports on Form 10-K and FPIs that file annual reports on Form 20-F but will not be required for annual reports on Form 40-F for Canadian companies relying on the MJDS.

Final rules (and reporting) effective dates

The new cybersecurity rules mark the third time that the SEC has addressed cybersecurity disclosure with previous guidance coming in 2011 and 2018³. The new rules aim to standardize U.S. reporting companies' cybersecurity-related disclosure obligations to ensure that the disclosure is consistent, comparable and made in a decision-useful manner.

The final rules will become effective on September 5, 2023. The new Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The new Form 8-K and Form 6-K requirements will apply beginning December 18, 2023. Later compliance dates will apply for smaller reporting companies⁴.

New disclosure requirements

Periodic reporting of cybersecurity incidents

The new rules introduce requirements for U.S. reporting companies to file periodic reports with the SEC about material cybersecurity incidents. The SEC has defined a "cybersecurity incident" as an unauthorized⁵ occurrence, or a series of related unauthorized occurences, on or conducted through a company's information systems⁶ that jeopardizes the confidentiality, integrity, or availability of those information systems or any information residing therein.

The SEC is using the same materiality standard that generally applies under U.S. securities laws in other contexts to determine what constitutes a "material" cybersecurity incident under the new disclosure rules—that is, whether there is a substantial likelihood that a reasonable investor would consider it important and whether such information would significantly alter the total mix of information made available. This could, for example, include qualitative material impact, such as reputational harm, in addition to a strictly financial or quantitative materiality analysis.

Filing periodic incidents to the SEC: Form 8-K and Form 6-K

Form 8-K has been amended to add Item 1.05, which requires disclosure of a material cybersecurity incident within four business days after the company determined that the incident was material, which may be later than the date the issuer became aware of the incident. Item 1.05 of Form 8-K requires the company to make such a materiality determination "without unreasonable delay" following the discovery of a cybersecurity incident.

Reporting companies will be required to provide the following for Form 8-K:

• The company is required to disclose the material aspects of the nature, scope and timing of the incident. The company is also required to disclose the incident's material impact (or reasonably likely material impact) on the company, including its financial condition and results of operations.
• The final rules include an exception for disclosures of cybersecurity incidents that may pose a threat to national security or public safety, upon determination by the U.S. Attorney General.
• To the extent that the information called for by Item 1.05(a) of Form 8-K is not determined or is unavailable at the time of the required filing, the final rules require the company to include a statement to this effect in the Form 8-K and then file an amendment to its Form 8-K filing containing such information within four business days after the company, without unreasonable delay, determines such information or within four business days after such information becomes available.

Form 6-K, which is the form of current report that FPIs (including MJDS issuers) furnish to the SEC in lieu of Form 8-K, has been amended to add "material cybersecurity incidents" as an item that might trigger a filing requirement to the extent such information was disclosed in a foreign jurisdiction, to any stock exchange or to its securityholders⁷. Consistent with other disclosure requirements set out in Form 6-K, the amendments to Form 6-K do not specify what should be disclosed about such incidents. Instead, the form and content of the cybersecurity incident disclosure that would be attached to the Form 6-K generally would be determined by home country disclosure requirements.

Annual reporting of cybersecurity-related disclosures

The final rules on cybersecurity-related disclosure obligations require U.S. reporting companies to include disclosure in their annual reports on Form 10-K (U.S. domestic reporting companies) and Form 20-F (FPIs) regarding both cybersecurity risk management and strategy, and cybersecurity governance.

Cybersecurity risk management and strategy

• Companies will now be required to describe the company's processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a company should consider addressing, as applicable, the following non-exclusive list of disclosure items:
  • whether and how any such processes have been integrated into the company's overall risk management system or processes;
  • whether the company engages assessors, consultants, auditors or other third parties in connection with any such processes; and
  • whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
• Companies will also be expected to describe whether any risks from cybersecurity threats (including as a result of any previous cybersecurity incidents) have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition, and if so, how.

Cybersecurity governance

• With respect to disclosure regarding cybersecurity governance under the final rules, companies will be required to describe the board of directors' oversight of risks from cybersecurity threats. If applicable, the company must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks. The final rules, however, do not require disclosure of cybersecurity expertise of individual board members.
• Companies will also be expected to include disclosure on management's role in assessing and managing the company's material risks from cybersecurity threats. In providing such disclosure, a company would need to address, as applicable, the following non-exclusive list of disclosure items:
  • whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
  • the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents; and
  • whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

The above-mentioned new rules regarding cybersecurity governance, strategy and risk management do not apply to MJDS issuers filing annual reports on Form 40-F.

Impact of the SEC rules in Canada

The SEC did not adopt additional prescriptive cybersecurity disclosure requirements to Form 40-F, which governs the annual reports filed by MJDS issuers with the SEC, given that the MJDS generally permits eligible issuers in Canada to comply with Canadian disclosure rather than the SEC's registration and disclosure requirements.

Canadian securities laws currently do not impose any cybersecurity-specific disclosure requirements on reporting issuers, but the Canadian Securities Administrators have published guidance outlining their expectations regarding reporting issuers' disclosures in respect of material cybersecurity incidents and risks and related mitigation strategies⁸.

Footnotes

1. See Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Release Nos. 33-11216; 34-97989; File No. S7-09-22).

2. In this bulletin, "U.S. public reporting company" or "U.S. reporting company" means any domestic or foreign company that has a class of voting equity securities registered under Section 12 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"). This would include all NYSE and Nasdaq-listed companies, as well as certain other companies that are required to register under Section 12(g) of the Exchange Act because they have more than a prescribed number of shareholders.

3. See Corporate Finance Division, CF Disclosure Guidance: Topic No. 2 - Cybersecurity (Oct. 13, 2011) and Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018).

4. As defined in Item 10(f)(1) of Regulation S-K, a company generally qualifies as a "smaller reporting company" if: (1) it has public float of less than $250 million; or (2) it has less than $100 million in annual revenues and (i) no public float or (ii) public float of less than $700 million.

5. The SEC is of the view that an accidental occurrence is generally an unauthorized occurrence and as such may be a "cybersecurity incident" under the definition in the new rules, even if there is no confirmed malicious activity. For example, if a company's customer data are accidentally exposed, allowing unauthorized access to such data, the data breach would constitute a "cybersecurity incident" that would necessitate a materiality analysis to determine whether disclosure under Item 1.05 of Form 8-K is required.

6. The SEC has defined "information systems" to include electronic information resources owned or used by the U.S. reporting company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the company's information to maintain or support the company's operations.

7. Specifically, the SEC has included "material cybersecurity incidents" as an additional specified matter that may be reportable on Form 6-K to the extent that it constitutes information that the company: "(1) makes or is required to make public under the laws of its jurisdiction of incorporation, (2) files, or is required to file, under the rules of any stock exchange, or (3) otherwise distributes to its securityholders"; and is material with respect to the issuer and its subsidiaries. See General Instruction B of Form 6-K.

8. See CSA Staff Notice 11-332 Cyber Security (September 27, 2016) and Multilateral Staff Notice 51-347 Disclosure of Cyber Security Risks and Incidents (January 19, 2017).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.