A Small Entity Compliance Guide[1]

Introduction

On July 26, 2023, the Securities and Exchange Commission (the “Commission”) adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”). The new rules have two main components:

(1) Disclosure of material cybersecurity incidents. For domestic registrants, this disclosure must be filed on Form 8-K within four business days of determining that a cybersecurity incident is material. For foreign private issuers (“FPIs”),[2] this disclosure must be furnished on Form 6-K promptly after the incident is disclosed or otherwise publicized (or is required to be disclosed or publicized) in a foreign jurisdiction, to any stock exchange, or to security holders.

(2) Annual disclosure of cybersecurity risk management, strategy, and governance. For domestic registrants, this disclosure is made on Form 10-K. For FPIs, this disclosure is made on Form 20-F.

In addition, the rules require the new disclosures to be tagged with Inline eXtensible Business Reporting Language (“Inline XBRL”).

Who is affected by the rules?

The new rules affect domestic registrants and FPIs subject to the reporting requirements under the Exchange Act.[3] The rules also apply to business development companies (“BDCs”) as defined in section 2(a)(48) of the Investment Company Act of 1940.[4]

What changes were made by the rules?

Material Cybersecurity Incident Disclosure

The new rules add Item 1.05 to Form 8-K. Item 1.05 requires disclosure of the following information regarding a material cybersecurity incident:

• The material aspects of the nature, scope, and timing of the incident; and
• The material impact or reasonably likely material impact on the registrant, including on the registrant’s financial condition and results of operations.

Item 1.05 does not require the registrant to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail that would impede its response or remediation of the incident.

Importantly, the deadline for filing an Item 1.05 Form 8-K is tied not to discovery but to the registrant’s determination that the incident is material. The filing must be made within four business days of the registrant determining that a cybersecurity incident is material. The rule instructs registrants to make the materiality determination “without unreasonable delay.” As is the case in other securities contexts, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important”[5] in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”[6] Because materiality’s focus is on the total mix of information from the perspective of a reasonable investor, registrants assessing the materiality of a cybersecurity incident should do so through the lens of the reasonable investor. Their evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors.

Item 1.05 allows for limited delay if the United States Attorney General (the “Attorney General”) determines that disclosure of a cybersecurity incident poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing.[7] Registrants should work with the Department of Justice if they believe national security or public safety may be implicated by a material cybersecurity incident.

The new rules add “material cybersecurity incident” to the list of items that trigger Form 6-K disclosure. Thus, if an FPI discloses or otherwise publicizes (or is required to disclose or publicize) a material cybersecurity incident in a foreign jurisdiction, to any stock exchange, or to security holders, it must promptly furnish the same information regarding the incident on Form 6-K.

Risk Management, Strategy, and Governance Disclosure

The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by FPIs in their annual reports on Form 20-F.

Specifically, with respect to risk management, Item 106 and Item 16K require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances.

With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats.

Structured Data Requirements

The new rules require that registrants tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. As noted below, compliance with the tagging requirements is delayed for one year after the initial compliance date for the disclosures.

Please refer to the adopting release for a complete description of the new rules.

What are the compliance dates of the rules?

The compliance dates vary by the type of disclosure, with smaller reporting companies (“SRCs”)[8] being afforded a longer compliance period for incident reporting:

(1) With respect to the annual Form 10-K and Form 20-F cybersecurity disclosures, all registrants (including SRCs) must provide such disclosures beginning with their annual reports for fiscal years ending on or after December 15, 2023.

(2) With respect to material cybersecurity incident disclosure on Form 8-K and Form 6-K, registrants that are not SRCs must begin complying by December 18, 2023. SRCs have an additional 180 days to comply, meaning that they must begin complying by June 15, 2024.

(3) With respect to the structured data requirements (i.e., Inline XBRL tagging), all registrants (including SRCs) must begin tagging their cybersecurity disclosures in Form 10-K and Form 20-F in Inline XBRL for fiscal years ending on or after December 15, 2024, and all registrants (including SRCs) must begin tagging their material cybersecurity incident disclosures in Form 8-K and Form 6-K in Inline XBRL by December 18, 2024.

Other Resources

The adopting release for these new rules can be found on the Commission’s website at https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

The Commission’s disclosure forms can be accessed on the agency’s website at https://www.sec.gov/forms.

Contacting the SEC

The Commission’s Division of Corporation Finance is happy to assist small companies and others with questions regarding the new rules. You may contact the Division for this purpose at (202) 551-3400 or https://www.sec.gov/forms/corp_fin_interpretive.

Questions on other Commission regulatory matters concerning small companies may be directed to the Division’s Office of Small Business Policy at (202) 551-3460.

The Commission’s Division of Investment Management’s Chief Counsel’s Office is also available to assist small entities and others with questions regarding the rules applicable to BDCs. You may contact the Office for this purpose at 202-551-6825 or IMOCC@sec.gov.