On July 26, 2023, the United States Securities and Exchange Commission (the "SEC") adopted finalised rules (the "Cybersecurity Rules") to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies that are subject to the reporting requirements of the United States Securities Exchange Act of 1934, as amended (the "Exchange Act"), including foreign private issuers ("FPIs").
This memorandum summarizes the new Cybersecurity Rules and provides certain recommendations for consideration by Canadian-based issuers subject to the reporting requirements of the Exchange Act.
Prior to the adoption of the Cybersecurity Rules, there were no explicit form requirements relating to cybersecurity matters. Regulation S-K and Regulation S-X include some general guidelines for suggested cybersecurity disclosure – such as risk factors, management's discussion and analysis and financial statements. However, there are few prescriptive form requirements.
In 2011 and 2018, the SEC also issued interpretive guidance to provide direction to companies on how cybersecurity risks and incidents should be discussed under the existing disclosure rules. Over the years, the SEC staff observed that in spite of the additional guidance the cybersecurity disclosures remained inconsistent and thereby necessitating the new Cybersecurity Rules.
Overview of the New Cybersecurity Rules
Specifically, the SEC's Cybersecurity Rules require:
Incident Reporting: Current reporting on Form 8-K of any cybersecurity incident the company experiences that is determined to be material, and describing the material aspects of the nature, scope and timing of the incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
Annual Reporting: Annual reporting on Form 10-K of the company's processes for identifying, assessing and managing material risks from cybersecurity threats, and describing whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect its business strategy, results of operations, or financial condition; management's role in assessing and managing the company's material cybersecurity risks; and the board's oversight of cybersecurity risks.
The new Cybersecurity Rules require disclosure within four business days after a company determines that a "cybersecurity incident" experienced by the company is material. "Cybersecurity incident" is defined as an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein. The SEC reiterated in the adopting release that, in general, it "believe[s] that an accidental occurrence is an unauthorized occurrence," and that an accidental occurrence may therefore be a cybersecurity incident under its definition, "even if there is no confirmed malicious activity."
The disclosure requirements for cybersecurity incidents are set out in Item 1.05 of Form 8-K. The trigger for disclosure is the date on which the company determines that a cybersecurity incident it has experienced is material, rather than the date of the incident. The guidance for Form 8-K dictates that materiality assessment should occur promptly upon the discovery of a cybersecurity incident. In the official release the SEC also notes that adhering to normal internal practices and disclosure controls and procedures is sufficient to demonstrate good faith compliance.
Amendments to Form 6-K, which apply to foreign private issuers, also parallel those adopted for domestic issuers in Form 8-K. The amendments require foreign private issuers to furnish on Form 6-K information about material cybersecurity incidents that the companies disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders. Under Canadian securities laws, where a material change occurs in the affairs of a reporting issuer (such as a material cyber security incident), the issuer is generally required to immediately issue a news release disclosing the nature and substance of the change.
The analysis for materiality of cybersecurity incidents is the same as the materiality analysis for other securities laws purposes and should be based on the total mix of information, including qualitative and quantitative factors.
If a material cybersecurity incident occurs then the issuer must file a Form 8-K, disclosing:
the material aspects of the nature, scope and timing of the incident, and
the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
Delay Due to Risks to National Security or Public Safety
A company may delay disclosure of a material cybersecurity incident if disclosure poses a substantial risk to national security or public safety. Such determination is to be made by the U.S. Attorney General, who will also notify the SEC in writing.
If the information that should be disclosed in accordance with Item 1.05 of Form 8-K cannot be ascertained or is not accessible at the time of the mandatory submission, businesses are required to acknowledge the absence of this information in their initial disclosure. They must subsequently file an amendment to Form 8-K within four business days of determining or gaining access to the missing information.
The Cybersecurity Rules require enhanced disclosures of cybersecurity risk management and governance in annual reports on Forms 10-K and 20-F, including:
Risk Management: A company's processes, if any, for assessing, identifying and managing material risks from cybersecurity threats.
Strategy: Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect a company's business strategy, results of operations or financial condition.
Governance: The board of directors' oversight of risks from cybersecurity threats and management's role in assessing and managing material risks from cybersecurity threats.
Issuers must describe processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes and the company's cybersecurity risk profile. This disclosure should include, as applicable, a discussion of:
whether and how the described processes have been integrated into the company's overall risk management system or processes,
whether the company engages assessors, consultants, auditors or other third parties in connection with any such processes, and/or
whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers.
Issuers must describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition, and if so, how.
Issuers must describe:
the board's oversight of risks from cybersecurity threats,
if applicable, identify the board committee or subcommittee responsible for this oversight of risks from cybersecurity threats, and
the processes by which the board or board committee is informed about such risks.
The SEC did not adopt the proposed rule that would have required companies to disclose the cybersecurity expertise of board members. However, disclosure of management's expertise is required and issuers must describe management's role in assessing and managing material cybersecurity risks and threats. The Cybersecurity Rules direct companies to consider including, but not limited to, disclosure of the following information:
whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise,
the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and
whether such persons or committees report information about such risks to the board of directors or a board committee or subcommittee.
Foreign Private Issuers
The aforementioned annual disclosure requirements apply to Forms 10-K and 20-F filers. For Form 40-F filers, the SEC chose to maintain the multijurisdictional disclosure system ("MJDS") whereby eligible Canadian FPIs can continue to use Canadian disclosure standards. Canadian FPIs are subject to the Canadian Securities Administrators' 2017 guidance on the disclosure of cybersecurity risks and incidents (described below).
Canadian Cybersecurity Guidance
In February 2017, the Canadian Securities Administrators (the "CSA") published Multilateral Staff Notice 51-347: Disclosure of cyber security risks and incidents, which provides guidance to Canadian issuers regarding their disclosure practices. The notice stated, amongst other things, that cybersecurity policies and procedures of registered firms should include preventative practices, training of all staff and a cybersecurity incident response plan. In considering whether and when to disclose a cybersecurity incident, the CSA noted the issuer must determine whether it is a material fact or material change that requires disclosure in accordance with securities legislation.
The final rules will become effective September 5, 2023. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. Public companies (other than smaller reporting companies) must begin complying with the Form 8-K and Form 6-K disclosure requirements on December 18, 2023.
For annual reporting, companies must include the cybersecurity risk management, strategy and governance disclosures in their annual reports for fiscal years ending on or after December 15, 2023. Therefore, for calendar year-end companies, the first report requiring compliance with Item 106 will be the Form 10-K for the 2023 fiscal year filed in 2024.
As noted above, publicly listed companies will face enhanced scrutiny of their policies and procedures in light of the new SEC Cybersecurity Rules. During this transitionary phase, companies should proactively undertake gap-analysis of their current cybersecurity arrangements to prepare themselves for enhanced disclosure expectations, including:
Existing Cybersecurity Policies and Processes: Issuers should conduct a review of their existing cybersecurity-related policies, procedures, controls and incident-response measures in light of the new rules. This review may include assessing whether any updates may be needed in relation to cybersecurity oversight at the board or committee level, and management's role in assessing, managing and communicating cybersecurity risks.
Board and Management Expertise: Although the SEC removed the requirement to describe the board's cybersecurity expertise, discussion of the management and committee's expertise is still required. Nevertheless, some institutional investors may expect board skills matrices and disclosures concerning board expertise or knowledge relating to cybersecurity matters. Therefore, in order to gather this information, issuers may consider board engagement activities to learn further about board expertise and education on cybersecurity matters.
Incident Response Plans: Issuers should consider reviewing existing disclosure controls and procedures considering the new mandatory reporting requirement for material (whether individually or taken together) cybersecurity incidents to ensure that the appropriate communication channels are in place. Given the four-day requirement from the date of determination of materiality, these controls should ensure the information flows in a timely manner to the disclosure decision-makers, while taking appropriate steps to preserve the legal privilege wherever possible.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021