This Heads Up has been updated to reflect changes as a result of (1) a December 14, 2023, statement on cybersecurity disclosure by Erik Gerding, director of the SEC’s Division of Corporation Finance (the “Division”), and his comments at the 2023 AICPA & CIMA Conference on Current SEC and PCAOB Developments; (2) new Compliance and Disclosure Interpretations (C&DIs) issued by the SEC staff; and (3) guidance by the FBI, in coordination with Department of Justice (DOJ) guidelines, on requesting a temporary delay in disclosing material cybersecurity incidents if disclosing such information would pose a substantial risk to national security or public safety. Updated paragraphs in the Heads Up are identified below in red boldface italic.
SEC Final Rule Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
CF Disclosure Guidance Topic No. 2, “Cybersecurity,” and SEC Interpretive Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.
The final rule amends Forms 20-F and 6-K to require FPIs to provide disclosures that are generally consistent with those discussed herein for domestic registrants. Specifically, FPIs must disclose in their annual Form 20-F the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. The final rule also requires FPIs to furnish on Form 6-K information on material cybersecurity incidents that they disclose or publicize in a foreign jurisdiction to any stock exchange or security holders.
SEC Proposed Rule Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
Note that the final rule’s inclusion of “financial condition and results of operations” is not exclusive, and companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident.
The final rule notes that “[t]he delay provision for substantial risk to national security or public safety is separate from Exchange Act Rule 0-6, which provides for the omission of information that has been classified by an appropriate department or agency of the Federal government for the protection of the interest of national defense or foreign policy. If the information a registrant would otherwise disclose on an Item 1.05 Form 8-K or pursuant to Item 106 of Regulation S-K or Item 16K of Form 20-F is classified, the registrant should comply with Exchange Act Rule 0-6.”
Adoption dates applicable to FPIs for disclosures in Form 6-K are consistent with Form 8-K, Item 1.05, and disclosures in Form 20-F are consistent with Item 106.
SEC Final Rule Release No. 34-95607, Pay Versus Performance.
SEC Proposed Rule Release No. 33-11028, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.