Canadian issuers that are reporting issuers with the Securities and Exchange Commission should be aware of new rules that impose disclosure requirements regarding cybersecurity risk management, strategy, governance and incidents.
The new rules have two basic components. First, certain issuers will have new disclosure requirements regarding the registrant’s processes and policies for cybersecurity risk management, strategy and governance. These disclosures (which we refer to as “risk management disclosures”) will be required in the registrant’s annual report. The new risk management disclosures apply to nearly all domestic SEC reporting issuers (including Canadian issuers that report on domestic forms) and those foreign private issuers that report on Form 20-F.
Second, in the event of a material unauthorized occurrence on or conducted through a company’s information systems (which we refer to as a “cybersecurity incident”) all reporting issuers will need to provide current disclosure regarding that incident on the appropriate form (either 6-K or 8-K). The cybersecurity incident disclosure requirements apply to all SEC reporting issuers, including those Canadian issuers that report on Form 40-F.
For Canadian issuers that report on either Form 20-F or 40-F, in the event of a material cybersecurity incident, the issuer must furnish on Form 6-K that information that the issuer (i) makes or is required to make public pursuant to the law of the jurisdiction of its domicile or in which it is incorporated or organized, or (ii) files or is required to file with a stock exchange on which its securities are traded and which was made public by that exchange, or (iii) distributes or is required to distribute to its security holders.
For Canadian issuers that report on Form 20-F, the risk management disclosures will be required in the annual report for fiscal years beginning on or after December 15, 2023. The applicable risk management disclosure requirements for 20-F filers are contained in Item 16K of Form 20-F.
For Canadian issuers that file on either 40-F, 20-F or 10-K (other than smaller reporting companies), the disclosures required in connection with a cybersecurity incident will be required after December 18, 2023. Issuers that file on Form 10-K (including Canadian issuers) that qualify as “smaller reporting issuers” will have an additional 180 days before they are required to comply with the cybersecurity incident reporting requirements, so after June 15, 2024.
Issuers must tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts, beginning one year after the initial compliance date for the issuer for the related disclosure requirement.
A summary of the new rules can be found here and the adopting release for the new rules can be found here.