The Matrix

I. Disclosure of Cybersecurity Incidents Under Forms 8-K, 10-K and 10-Q

Form 8-K

The SEC intends to amend Form 8-K by adding Item 1.05 which would require registrants to disclose information about a cybersecurity incident within four (4) business days after the occurrence of such incident. A company would be required to report: (i) when an incident was discovered and if it remained ongoing; (ii) a description of the incident; (iii) whether data was stolen, altered, accessed, or used for any unauthorized purpose; (iv) how the incident impacted the operations of the company; and (v) if the company had remediated, or was in the process of remediating, the incident. However, failure to timely report would not affect a company’s Form S-3 eligibility, and the reporting requirement would be subject to the limited safe harbor from certain public and private claims under Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934.

Forms 10-K and 10-Q

The SEC also intends to amend forms 10-K and 10-Q via Item 106(d)(1) of Regulation S-K which would require companies to update prior disclosures regarding cybersecurity incidents, by, for example, providing information relating to any such incidents’ past and potential effects on the company, the status of any remediation efforts, and upcoming changes to the company’s cybersecurity posture. The Proposed Rules also seek to amend Item 106(d)(2) of Regulation S-K to mandate disclosure of any series of “individually immaterial cybersecurity incidents has become material in the aggregate.”

II. Risk Management, Strategy and Governance Disclosures Under Form 10-K and Regulation S-K

Form 10-K and Regulation S-K

Under the Proposed Rules, an amendment to Item 106 of Form 10-K would mandate “consistent and informative” disclosure of cybersecurity risk management and strategy. Such amendment would require a company to disclose how it: (i) selects and oversees third-party service providers in the management and mitigation of cyber risk; and (ii) analyzes the cyber risks associated with its business model.

Amendments to Item 106(b) of Regulation S-K would further require disclosure as to whether: (i) a company possesses a cybersecurity risk assessment and management program; (ii) a company uses third parties with regard to such program; (iii) a company utilizes policies and procedures to assess cyber risks concerning third-party service providers, and evaluates third-party providers’ potential risks when choosing and supervising said providers; (iv) a company’s current cybersecurity programs are influenced by previous cybersecurity incidents; (v) cybersecurity incidents or risks have detrimentally impacted or could reasonably detrimentally impact a company’s operations and financial condition in the future; and (vi) cybersecurity risks are part of a company’s business strategy.

The Proposed Rules would also amend Regulation S-K in order to require a company to disclose how the board and management of such company assumes responsibility for cyber risk. Under proposed Item 106(c) of Regulation S-K, such disclosures would include: (i) whether management of cybersecurity risks is the responsibility of the entire board, a committee, or specific board members; (ii) a description of processes for alerting the board to cybersecurity risks and the frequency with which the board discusses those risks; and (iii) whether and how the board (or committee) assesses cyber risk as a component of its overall strategy, risk management, and financial oversight. In addition to a description of board responsibilities, the proposed Item 106(c) would require companies to describe management’s cybersecurity expertise and their role in executing cybersecurity measures, policies, procedures and strategies.

III. Disclosures Regarding the Cybersecurity Expertise of Board Members Under Regulation S-K

Regulation S-K

The SEC intends to add a new Item 407(j) to Regulation S-K, which would mandate disclosure of directors’ relevant cybersecurity expertise in annual reports, annual meeting proxy statements, and information statements.

IV. Foreign Private Issuers Application Under Forms 20-F and 6-K

Form 20-F

With respect to foreign private issuers, the Proposed Rules also provide for the amendment of Form 20-F to mandate foreign private issuers to include the same disclosures required for domestic companies (in the proposed Items 106 and 407(j) of Regulation S-K) on Form 20-F of a foreign issuer’s annual reports.

Form 6-K

Form 6-K would be amended to add “cybersecurity incidents” as a potential reporting event, and where a foreign private issuer has reported an incident on Form 6-K previously, the Proposed Rules would mandate updating the company’s Form 20-F with respect to such incidents, as is required of domestic companies by proposed Item 106(d)(1) of Regulation S-K. In addition, Form 20-F would be amended to require foreign private issuers to disclose, on an annual basis, information on any previously undisclosed material cybersecurity incidents that occurred during the reporting period, including “a series of previously undisclosed individually immaterial cybersecurity incidents that become material when considered together.”

V. Structured Data Requirements

Inline XBRL

The disclosures required under Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K would be required to be tagged in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. This would include block text tagging of narrative disclosures, in addition to detail tagging of quantitative amounts disclosed in the narrative disclosures.

VI. Comments and Timing

The SEC requested comments on these Proposed Rules and the period to submit such comments closed on May 9, 2022. However, because the average time between publication of proposed and final rules is around 450 days, final regulations implementing the Proposed Rules are not expected until 2023. Importantly, among the almost 140 comments submitted, law firms, businesses, and lobbyists advocated for victims of cyberattacks being provided with more than four (4) days to investigate incidents of “material” breaches before reporting them to investors and the public. Advocates of a longer investigation and reporting period argue that the 4-day deadline is likely to leave investors with more questions than answers. Law firms and lobbyists representing victims of breaches further caution that this short deadline could jeopardize probes by alerting attackers that a victim is aware of their activities and result in attackers who know that they have been detected stealing more data quicker than they otherwise would have. There have also been efforts to create a provision allowing an exception to reporting an incident where a company is cooperating with an active law enforcement investigation or in negotiations with hackers to recover “critical corporate assets” impacted by an attack. Finally, questions on how to specifically define a “material” cybersecurity breach have arisen and are currently undergoing discussion.