Defining Issues | December 2023

 

Insight

SEC staff issues new C&DIs on cybersecurity rules

New C&DIs provide guidance about reporting deadlines and materiality considerations when consulting with Attorney General.

Update: On December 12, 2023, the SEC staff released Compliance & Disclosure Interpretations (C&DIs) providing guidance about the deadlines for a registrant to file an Item 1.05 Form 8-K where the registrant has requested that the Attorney General authorize the deferral of the filing because disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. On December 14, 2023, the SEC staff released a further C&DI to clarify that consulting with the Department of Justice regarding the availability of such a delay does not necessarily result in the determination that the incident is material.

The final rules require disclosure of material cybersecurity incidents on Form 8-K. The rules also require disclosure on Form 10-K of a registrant’s processes to assess, identify and manage material risks from cybersecurity threats, including management’s role in assessing and managing material risks from cybersecurity threats; as well as the board of directors’ oversight. 

Applicability

  • Public companies subject to the Securities Exchange Act of 1934 – excluding certain Canadian foreign private issuers and asset-backed securities issuers.

Relevant dates

The final rules became effective September 5, 2023 and require the following:

  • All registrants must provide disclosures in Regulation S-K Item 106 and comparable items in Form 20-F beginning with annual reports for fiscal years ending on or after December 15, 2023.
  • All registrants – other than smaller reporting companies – must begin complying with the incident disclosure requirements in Form 8-K Item 1.05 and in Form 6-K on December 18, 2023.
  • Smaller reporting companies must begin complying with Form 8-K Item 1.05 on June 15, 2024. 

Inline XBRL compliance begins one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:

  • For Regulation S-K Item 106 and Form 20-F, all registrants must begin tagging disclosures in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024.
  • For Form 8-K Item 1.05 and Form 6-K, all registrants must begin tagging disclosures in Inline XBRL beginning December 18, 2024.

Key impacts

The SEC issued a  Fact Sheet  summarizing the key provisions of the final rules. The cybersecurity disclosure guidance issued by the SEC staff in 2011 and by the Commission in 2018  supplement the final rules. 

Material cybersecurity incidents to be reported on Form 8-K

Under new Item 1.05 of Form 8-K registrants must disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.

This information includes:

  • A description of the material aspects of the nature, scope, and timing of the incident.
  • The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

A registrant may delay providing the disclosures for an initial period of 30 days at the determination of the US Attorney General, if it is determined that the disclosures pose a substantial risk to national security or public safety. Additional requests for delay may be acceptable in certain circumstances. 

Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.

 

Cybersecurity risk management, strategy and governance disclosures

Risk management and strategy

Registrants must provide in their Form 10-K a description of their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, including whether:

  • The described cybersecurity processes have been integrated into the registrant’s overall risk management system or processes, and how. 
  • The registrant engages assessors, consultants, auditors or other third parties in connection with such processes. 
  • The registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. 

Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant – including its business strategy, results of operations, or financial condition and if so, how. 

Governance

The final rules require disclosures about the board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. 

Foreign Private Issuers (FPIs)

The final rules align incident reporting and periodic disclosures of FPIs on Forms 6-K and 20-F with those required for domestic registrants.

Structured data requirements

The final rules require registrants to report and disclose cybersecurity information in Inline XBRL format.  

Compliance with the structured data requirements is delayed for one year beyond initial compliance with the related disclosure requirement.  

C&DIs

In December 2023, the SEC staff issued four new C&DIs (Questions 104B.01 to 104B.04) to provide implementation guidance about the deadlines for allowable delays for a registrant to file its Form 8-K when the registrant has submitted a request for the Attorney General to authorize the deferral of the filing because disclosure of the incident would pose a substantial risk to national security or public safety.

The SEC staff also clarified that:

  • consulting with the Attorney General about the possibility of a delay does not necessarily result in a determination that the incident was material; and
  • registrants are not precluded from consulting with the Attorney General, or other law enforcement or national security agencies, at any point regarding an incident.


Related content

Subscribe to our newsletter

Receive timely updates on accounting and financial reporting topics from KPMG.

Receive timely updates on accounting and financial reporting topics from KPMG.

Accounting Research Online

Access our accounting research website for additional resources for your financial reporting needs.

Access our accounting research website for additional resources for your financial reporting needs.