The Securities and Exchange Commission (“SEC”) adopted new rules requiring the disclosure of cybersecurity risk management, strategy, governance and material incidents (the “Rules”), effective September 5, 2023. The Rules apply to U.S. domestic companies and foreign private issuers (“FPIs”). Canadian issuers reporting under the U.S.-Canada Multijurisdictional Disclosure System (“MJDS”) will be impacted to the extent that they are required to report material cybersecurity incidents in accordance with applicable Canadian rules.
New Disclosure Requirements
Cybersecurity threats and incidents pose an ongoing and escalating risk to public companies. The SEC has indicated that it adopted the Rules to promote sound investment decision-making by providing investors with information in a consistent format that can be used to evaluate and compare issuers with respect to their exposure to material cybersecurity risks and incidents, as well as their ability to manage and mitigate them.
The SEC defines a “cybersecurity incident” as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein. The Rules require U.S. domestic issuers to report cybersecurity incidents under a new Item 1.05 of Form 8-K within four business days of determining that an incident is material (rather than the date of the incident’s discovery). In determining whether an incident is material, issuers should apply the same materiality standard that generally applies under U.S. securities law – that is, whether there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or whether it would significantly alter the total mix of information made available.
The Form 8-K must describe the material aspects of the breach, including: (i) the nature, scope and timing of the incident; and (ii) the impact or reasonably likely impact on the company, including its financial condition and results of operations.
A company may delay filing if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
FPIs, including those eligible for the MJDS, must furnish, on Form 6-K, information on material cybersecurity incidents that they disclose in a foreign jurisdiction to any stock exchange or securityholder.
Companies must begin complying with the new Form 8-K and 6-K requirements on December 18, 2023. Smaller reporting companies (i.e., companies that have: (i) a public float of less than US$250 million; or (ii) annual revenues of less than US$100 million and either no public float or a public float of less than US$700 million) do not need to comply until June 15, 2024.
Annual reporting requirements
The Rules also require enhanced disclosure of a company’s cybersecurity risk management and governance in annual reports on Forms 10-K and 20-F (but not on the Form 40-F that is available to MJDS issuers, as noted below). In particular, a company must describe:
- its processes, if any, for the assessment, identification and management of material risks from cybersecurity threats, including: (i) whether and how the cybersecurity processes have been integrated into the overall risk management system; (ii) whether the company engages assessors, consultants, auditors or other third parties in connection with such processes; and (iii) whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider;
- whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect its business strategy, results of operations or financial condition;
- the board’s oversight of risks from cybersecurity threats, including: (i) identifying any board committee responsible for oversight; and (ii) describing the process by which the board or committee is informed of such risks; and
- management’s role in assessing and managing material risks from cybersecurity threats.
Applicable companies must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
Impact for Canadian Issuers
Canadian issuers eligible to use MJDS are permitted to use Canadian disclosure standards and documents to satisfy the SEC’s registration and disclosure requirements. As a result, the SEC did not adopt any changes to the annual reports required to be filed on Form 40-F by MJDS issuers, and Form 6-K was amended only to reference material cybersecurity incidents as an item that may trigger the form’s filing.
Canadian and U.S. securities laws impose different requirements relating to the announcement of material cybersecurity incidents. Under Canadian securities laws, where a material change occurs in the affairs of a reporting issuer, the company is generally required to issue a news release forthwith disclosing the nature and substance of the change. The Toronto Stock Exchange requires a listed company to disclose material information concerning its business and affairs forthwith upon it becoming known to management. By contrast, the Rules provide that a U.S. domestic issuer must file Form 8-K within four business days of determining that a cybersecurity incident was material.
While Canadian securities laws do not currently impose any specific cybersecurity disclosure requirements, in 2017, the Canadian Securities Administrators (“CSA”) published CSA Multilateral Staff Notice 51-347 Disclosure of Cyber Security Risks and Incidents (the “Notice”), which provides guidance on certain disclosure expectations, as we discussed in a previous post. The Notice indicated that CSA Staff continue to monitor trends in cybersecurity disclosure and review the extent and timing of cybersecurity incident reporting. Given the increase in regulatory scrutiny and prevalence of cybersecurity attacks, the SEC’s adoption of the Rules may influence Canadian issuers’ disclosure practices going forward.
Companies should therefore ensure that they have established cyber risk management programs that can identify and manage cybersecurity risks and respond to incidents quickly. Processes should be in place to communicate information promptly and to provide for cybersecurity expertise and training.
The Rules apply independently of any data breach reporting obligations that may arise under Canada’s private-sector privacy laws, such as the Federal and Quebec laws.
We continue to monitor these important developments.