Skip to main content

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Aug. 30, 2023

A Small Entity Compliance Guide[1]

Introduction

On July 26, 2023, the Securities and Exchange Commission (the “Commission”) adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”). The new rules have two main components:

(1) Disclosure of material cybersecurity incidents. For domestic registrants, this disclosure must be filed on Form 8-K within four business days of determining that a cybersecurity incident is material. For foreign private issuers (“FPIs”),[2] this disclosure must be furnished on Form 6-K promptly after the incident is disclosed or otherwise publicized (or is required to be disclosed or publicized) in a foreign jurisdiction, to any stock exchange, or to security holders.

(2) Annual disclosure of cybersecurity risk management, strategy, and governance. For domestic registrants, this disclosure is made on Form 10-K. For FPIs, this disclosure is made on Form 20-F.

In addition, the rules require the new disclosures to be tagged with Inline eXtensible Business Reporting Language (“Inline XBRL”).

Who is affected by the rules?

The new rules affect domestic registrants and FPIs subject to the reporting requirements under the Exchange Act.[3] The rules also apply to business development companies (“BDCs”) as defined in section 2(a)(48) of the Investment Company Act of 1940.[4]

What changes were made by the rules?

Material Cybersecurity Incident Disclosure

The new rules add Item 1.05 to Form 8-K. Item 1.05 requires disclosure of the following information regarding a material cybersecurity incident:

  • The material aspects of the nature, scope, and timing of the incident; and
  • The material impact or reasonably likely material impact on the registrant, including on the registrant’s financial condition and results of operations.

Item 1.05 does not require the registrant to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail that would impede its response or remediation of the incident.

Importantly, the deadline for filing an Item 1.05 Form 8-K is tied not to discovery but to the registrant’s determination that the incident is material. The filing must be made within four business days of the registrant determining that a cybersecurity incident is material. The rule instructs registrants to make the materiality determination “without unreasonable delay.” As is the case in other securities contexts, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important”[5] in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”[6] Because materiality’s focus is on the total mix of information from the perspective of a reasonable investor, registrants assessing the materiality of a cybersecurity incident should do so through the lens of the reasonable investor. Their evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors.

Item 1.05 allows for limited delay if the United States Attorney General (the “Attorney General”) determines that disclosure of a cybersecurity incident poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing.[7] Registrants should work with the Department of Justice if they believe national security or public safety may be implicated by a material cybersecurity incident.

The new rules add “material cybersecurity incident” to the list of items that trigger Form 6-K disclosure. Thus, if an FPI discloses or otherwise publicizes (or is required to disclose or publicize) a material cybersecurity incident in a foreign jurisdiction, to any stock exchange, or to security holders, it must promptly furnish the same information regarding the incident on Form 6-K.

Risk Management, Strategy, and Governance Disclosure

The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by FPIs in their annual reports on Form 20-F.

Specifically, with respect to risk management, Item 106 and Item 16K require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances.

With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats.

Structured Data Requirements

The new rules require that registrants tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. As noted below, compliance with the tagging requirements is delayed for one year after the initial compliance date for the disclosures.

Please refer to the adopting release for a complete description of the new rules.

What are the compliance dates of the rules?

The compliance dates vary by the type of disclosure, with smaller reporting companies (“SRCs”)[8] being afforded a longer compliance period for incident reporting:

(1) With respect to the annual Form 10-K and Form 20-F cybersecurity disclosures, all registrants (including SRCs) must provide such disclosures beginning with their annual reports for fiscal years ending on or after December 15, 2023.

(2) With respect to material cybersecurity incident disclosure on Form 8-K and Form 6-K, registrants that are not SRCs must begin complying by December 18, 2023. SRCs have an additional 180 days to comply, meaning that they must begin complying by June 15, 2024.

(3) With respect to the structured data requirements (i.e., Inline XBRL tagging), all registrants (including SRCs) must begin tagging their cybersecurity disclosures in Form 10-K and Form 20-F in Inline XBRL for fiscal years ending on or after December 15, 2024, and all registrants (including SRCs) must begin tagging their material cybersecurity incident disclosures in Form 8-K and Form 6-K in Inline XBRL by December 18, 2024.

Other Resources

The adopting release for these new rules can be found on the Commission’s website at https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

The Commission’s disclosure forms can be accessed on the agency’s website at https://www.sec.gov/forms.

Contacting the SEC

The Commission’s Division of Corporation Finance is happy to assist small companies and others with questions regarding the new rules. You may contact the Division for this purpose at (202) 551-3400 or https://www.sec.gov/forms/corp_fin_interpretive.

Questions on other Commission regulatory matters concerning small companies may be directed to the Division’s Office of Small Business Policy at (202) 551-3460.

The Commission’s Division of Investment Management’s Chief Counsel’s Office is also available to assist small entities and others with questions regarding the rules applicable to BDCs. You may contact the Office for this purpose at 202-551-6825 or IMOCC@sec.gov.


[1] This guide was prepared by the staff of the Securities and Exchange Commission as a “small entity compliance guide” under Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996, as amended. The guide summarizes and explains the rules adopted by the Commission but is not a substitute for any rule itself. Only the rule itself can provide complete and definitive information regarding its requirements.

[2] “Foreign private issuer” is defined in 17 CFR 230.405 and 17 CFR 240.3b-4 as any foreign issuer other than a foreign government except for an issuer meeting the following conditions as of the last business day of its most recently completed second fiscal quarter: (1) More than 50 percent of the issuer's outstanding voting securities are directly or indirectly held of record by residents of the United States; and (2) Any of the following: (i) The majority of the executive officers or directors are United States citizens or residents; (ii) More than 50 percent of the assets of the issuer are located in the United States; or (iii)The business of the issuer is administered principally in the United States.

[3] The rules do not apply to eligible registrants that file disclosures on Form 40-F under the Multijurisdictional Disclosure System, nor to asset-backed issuers as defined in Item 1101 of Regulation AB. 17 CFR 229.1101.

[4] The new rules do not apply to investment companies registered under the Investment Company Act of 1940.

[5] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976); Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); and Basic v. Levinson, 485 U.S. 224, 240 (1988).

[7] Initially, disclosure may be delayed for a time period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided. The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing.

[8] An SRC is an issuer that is not an investment company, an asset-backed issuer, or a majority-owned subsidiary of a parent that is not an SRC and that: (1) had a public float of less than $250 million; or (2) had annual revenues of less than $100 million and either (a) no public float, or (b) a public float of less than $700 million. See Securities Act Rule 405 and Exchange Act Rule 12b-2. BDCs do not fall within the SRC definition, and thus do not qualify for the scaled disclosures.

Return to Top