Background
Overview of New Requirements:
The new disclosure requirements can be broadly considered under the following: 1. Strategy, Governance and Incident Disclosure 2. Risk Management and Strategy Disclosure 3. Governance 4. Tagging Registrants will have to focus on the following requirements:| Changes to | Requirement |
|---|---|
| Form 10-K | 1. Disclose Risk Management strategy through its Processes for assessing, identifying, and managing material risks from cybersecurity threats. 2. The board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. 3. High-level disclosure of assessors, consultants, auditors, or other third-parties supporting the cybersecurity landscape. This will provide investors with a view on in-house vs outsourced cybersecurity capacity / capability of an organization. Organizations do not have to disclose details such as name of third- party vendor and exact description of services provided. 4. Description of historical cybersecurity threats and their impact on materiality. |
| Form 8-K | 1. Requires Form 8-K disclosures about cybersecurity incidents, within four (04) business days after a material cybersecurity incident has been identified (not within four (04) days of incident occurring). For each material cybersecurity incident: Materiality (actual or likely), Scope of impact, Timing of the incident, Impact on operations and financial condition should be covered. The intent is to provide enough information to the investor and the impact on materiality to support their decision making regarding the organization. 2. Requires updates to Form 8-K within four (04) business days when additional information is made available which was not determined or unavailable at the time of filing the initial Form 8-K. 3. Requires correcting prior disclosures in Form 8-K which were either untrue, incorrect, or omitted (not deliberately to mislead). 4. Requires From 8-K to cover a series of related unauthorized occurrences which may collectively have a material cybersecurity impact. The final rules define a cybersecurity incident as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a Registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a Registrant’s information systems or any information residing therein.” |
| Form 6-K | 1. For Foreign Private Issuers (FPIs) Requires Form 6-K disclosures when Registrant determines that the incident is material, in addition to meeting the other criteria for required submission of the Form. Other Criteria: A Registrant is required under Form 6-K to furnish copies of all information that it: (i) makes or is required to make public under the laws of its jurisdiction of incorporation, (ii) files, or is required to file under the rules of any stock exchange, or (iii) otherwise distributes to its security holders. |
| Form 20-F | 1. Requires the same cybersecurity risk management, strategy, governance and updated incident disclosures as proposed for domestic (US) public companies. |
| XBRL | 2. Registrants to tag the new disclosures in Inline XBRL, including by block text tagging narrative disclosures and detail tagging quantitative amounts. Timeline to compliance is one year beyond the initial compliance with the disclosure requirements. |
Delayed Reporting:
The new disclosure requirements can be broadly considered under the following:
1. Delays permitted in filing Form 8-K post approval from Attorney General for disclosures which pose a substantial risk to national security or public security.
Brief on Compliance Timelines:
1. The final rules will become effective 30 days following publication in the Federal Register.
2. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal
years ending on or after December 15, 2023.
3. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the
date of publication in the Federal Register or December 18, 2023.
4. Smaller reporting companies will have an additional 180 days before they must begin
providing the Form 8-K disclosure.
Way Forward:
Registrants need to analyze their cybersecurity programs and reporting procedures to determine if
their programs and initiatives are ready to support disclosures.
Registrants should consider increased focus on:
1. Review their approach to define and determine materiality to include cybersecurity
incidents from both qualitative and quantitative perspective.
2. Prepare the Board or consider augmenting the Board’s / Management’s cybersecurity
expertise.
3. Evaluate existing controls and procedures to assess its capability to report material
cybersecurity incidents.
4. Evaluate relationships with third-party vendors which may impact your cybersecurity
posture and reporting compliance.
5. Assess the existing technology landscape from its effective and timely monitoring and
notification capabilities.
