SEC’s new mandatory cybersecurity disclosure rules and implications for Canadian issuers

On July 26, 2023, the United States Securities and Exchange Commission (SEC) adopted final rules requiring disclosure [PDF] by public companies of cybersecurity incidents, risk management and governance (which we previously discussed here). The new rules apply to most U.S. domestic issuers, as well as foreign private issuers reporting on Form 20-F (FPIs), but do not apply to Canadian issuers reporting on Form 40-F under the U.S.–Canada Multijurisdictional Disclosure System.

Annually, U.S. domestic issuers and FPIs must describe their processes, if any, for the assessment, identification and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition. In addition, U.S. domestic issuers and FPIs must describe (i) the board’s oversight of risks from cybersecurity threats and (ii) management’s role in assessing and managing material risks from cybersecurity threats.

The rules also introduce new requirements for disclosing material cybersecurity incidents on a timely basis. A “cybersecurity incident” is defined as an “unauthorized occurrence or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein”. In the final release, the SEC clarified that “accidental” occurrences are to be considered “unauthorized” and that the new rules cover incidents occurring through third-party systems. U.S. domestic issuers must disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is material. FPIs must promptly disclose material cybersecurity incidents on Form 6-K that they publicly disclose in their home jurisdiction.

A key difference between the U.S. and Canadian approaches is the SEC mandates the filing of a Form 8-K within four business days of determining that the cybersecurity incident is material whereas, under Canadian securities law and stock exchange requirements, a press release is required to be issued forthwith upon determining that the cyber breach is material.

The SEC provides guidance on how issuers should make materiality determinations in assessing when a material cybersecurity incident has occurred. If the new rules are seen as improving the quality and timeliness of disclosure on cybersecurity matters for U.S. securities law purposes, they will likely influence the approach to making materiality determinations for Canadian securities law purposes.

The final rules are effective September 5, 2023. Annual cybersecurity risk management, strategy and governance disclosures in compliance with Regulation S-K, Item 106 (for U.S. domestic issuers) and Item 16K of Form 20-F (for FPIs) must be included in annual reports for fiscal years ending on or after December 15, 2023. Material cybersecurity incident disclosures on Form 8-K (for U.S. domestic issuers) and on Form 6-K (for FPIs) will be required starting on December 18, 2023, except smaller reporting companies, which will be given an additional 180 days to comply with the requirement, starting on June 15, 2024.

Read the full Update posted on August 21, 2023.