Podcast: Cybersecurity risk management, strategy, governance and incident disclosure [10:54]

< 1 minute read
Featured Image

Overview

On The Dot (Episode 1) - A conversation with Jennifer Froberg, Senior SEC Product Specialist, about the new cybersecurity disclosure requirements for domestic and foreign issuers.

Transcript

Scott Snyder: Hello, I’m Scott Snyder, and I’m very pleased to be joined today by Jen Froberg.  

Jen, the SEC recently passed a rule to modernize cybersecurity reporting for corporate issuers. I know that you’ve expressed to me that we do anticipate the SEC will extend that to mutual funds in the future, but for the moment it’s just the corporate issuers.  

Jennifer Froberg: Yes.  

Scott: Can we begin with an overview of the rule itself? What is it the SEC passed and what are they actually trying to do with the introduction of the new cybersecurity rule? 

Jen: The rule is fairly extensive in scope and will apply to both domestic issuers and foreign private issuers who file on Form 20-F.  

The rule is intended to modernize reporting. The SEC had guidance that they adopted in 2011, so over a decade ago.  

In the intervening decade, the SEC has had many incidents of cybersecurity issues. They have brought charges against companies related to cybersecurity issues. So, it was time to modernize and make reporting more transparent, so that investors and the marketplace had the most current information related to both issues that might happen for a company and how they respond to those. 

Scott: That’s great foundation and completely understand in today’s world why that might be important. The rule does specify though how that disclosure needs to happen.  

Can you tell us a little bit about what that specific requirement is? What are companies going to have to do? Is there a form type for instance that it will need to appear on? 

Jen: So, there are two different branches or key points of reporting.  

The first is incident reporting. If there is a cybersecurity incident, the company has to make a determination internally once they know that there has been some type of breach or incident if it’s material, and material is a term that’s legal in nature.  

It’s really up to the company and their legal counsel to determine the impact and the scope of what that incident might be and does that meet the threshold of reporting. 

Once that material determination is made, domestic companies based in the United States will have to report within four business days on Form 8-K. There’s a new item number, Item 105, which will be required and that will signify on any 8-K filing that would be a cybersecurity incident.  

So, the SEC intentionally created that new item to be able to inform people who are reading, investors or the market to know that there has been an issue.  

Related to that, when foreign private issuers, so those are companies who file with the SEC and are public companies, have a cybersecurity incident they will also have to report similarly on Form 6-K.  

I am going to also add one additional piece related to the incident reporting that’s very important. 

So, when the incident occurs, the SEC has designed into the rule that if there’s anything particularly sensitive or anything that might cause further security issues, such as national security or that might further compromise a system issue, that isn’t required to be reported. 

So, the SEC has designed some flexibility and options for companies to ensure ongoing security.  

Scott: Jen, as the incidents happen, companies get four days essentially to report that to the SEC.  

What about annually? Is there some sort of summary, maybe in a 10-K, that the company has to disclose as part of that annual filing? 

Jen: Yes. Along with the incident reporting, the other prong is in the annual report, and that’s related to a company’s ongoing governance and their policies and practices to manage cybersecurity risks and the incidents that might occur related to that.  

So, what are their internal practices both for, to mitigate an incident and in response to an incident? 

 

What’s the level of involvement with their board? What do their executives do? What does communication look like? Many other related, and these will be specific to the individual company. 

It’s important to note that the new requirements will apply to both domestic issuers who file in Form 10-K and then foreign private issuers who file 20-Fs. Those annual reports would be required to be tagged. Canadian issuers who file on Form 40-F are exempt from the rule.  

Scott: Jen, that background is really important. Thanks for sharing it.  

But of course, we know that the SEC didn’t stop with just disclosing. They’ve introduced the Inline XBRL requirement. 

Let’s talk about that. Why Inline XBRL in this specific rule? What are the implications maybe for filers as they air those either precise incidents on an 8-K or maybe for their annual filing?  

Jen: The SEC has, in all of their rulemaking recently, been modernizing disclosure and adopting Inline XBRL or XML, which are formats of structured data. 

Structured data is really important, particularly Inline XBRL, because it’s both human and machine readable. So that a human investor who is looking at this Inline XBRL tag cybersecurity disclosure can read it in an 8-K or it can be analyzed behind the scenes by the marketplace to compare and contrast. 

For example, what are a company’s policies about cybersecurity, their risk management? And compare it one across another company and see what peers are doing. 

So, there’s very important information in Inline XBRL, and this will be the first time that the 8-K will be tagged within the body of the document. 

Currently we have cover tagging for 8-Ks and sometimes financial statements that are tagged, and those are in an exhibit. So, filers need to be prepared to know that tagging would occur in the 8-K and be required with their 8-K. 

Now it’s important to note we’ll talk about the timing in a little bit more detail, but that will be delayed one year after the compliance dates for all of the tagging. So, filers have to prepare first to disclose their incidents and their risk management governance for cybersecurity. Then they will need to prepare for tagging. 

Scott: Jen, there must be some technical details that issuers need to be aware of. Can you talk about those?   

Jen: Absolutely, Scott. So, to prepare for the Inline XBRL tagging, that’s part of the reason why the SEC delayed the tagging one year because it does take a little bit more work, both on the SEC side and on the company side to prepare for that tagging. 

So, the SEC will most likely be adopting a new taxonomy and they have a specific process. They issue a draft that’s reviewed and then there’s a final.  

Because the cybersecurity disclosure is very unique in subject matter it will probably be a separate taxonomy I believe.  

Scott: So, Jen, at this point we really understand an overview of the rule itself and the Inline XBRL tagging requirements. But folks listening are probably most interested in the when. 

What has the SEC signaled as it might relate to a 10-K or a 20-F, or maybe even timing if an incident happens early next year on their 8-K or their 6-K as you talked about earlier?  

Let’s start with annual reporting. What does that timing look like?  

Jen: So that disclosure in the annual report for 10-Ks, 20-Fs, regardless of what size company, regardless of filer status, begins Dec. 15, 2023, fiscal year end.  

So, in your upcoming annual report, companies will need to prepare to include that cybersecurity risk management and governance.  

Scott: If a company were to have an incident on let’s say Feb. 1 of 2024, what would the reporting requirement be? 

Is that different for the different size of companies again, or what’s the SEC signal for that?  

Jen: That reporting depends on their size. Smaller reporting companies get an extra six months so that the burden is less. They would start incident reporting June 15, 2024.  

Any other issuer if they have a cybersecurity incident, who’s not a small reporting company, starts Dec. 18, 2023, and after. 

Scott: Jen, thanks for all that great information on the cybersecurity rule.  

Obviously, a lot for corporate issuers to consider as they approach not only their annual filing but, of course, incidents after Dec. 18 this year as you talked about a moment ago.   

Any final thoughts you have on the cybersecurity rule, maybe impact on issuers or timing that you’d want to make sure that folks understand. 

Jen: It is worth noting that the SEC has been carefully watching cybersecurity disclosure because the guidance previously wasn’t an actual rule. It meant that companies were only subject to SEC comments and market reactions. So, there weren’t any specific reporting requirements.  

So, with this new rule, companies really need to prepare those requirements now that it’s a rule that could impact their SEC reviews, their ability to raise capital, their standing with the SEC and the market.  

Scott: Jen, thanks for joining me today for this edition of On The Dot. Great information and great insight.  

I know you’re working on a full-length blog on cybersecurity. Is there anything else in particular that will be in the blog that maybe we haven’t covered today? 

Jen: As companies learn more about an incident, the SEC requires that they file an 8-K/A, an amendment, and they have to report updated information.  

That information can’t be included in their 10-Q or their 10-K. The SEC specifically designed that so that information would be related to the original incident reporting. 

So, it’s important for companies to stay up to date and as there’s more information that they’ve learned about an incident, that they keep that information updated.  

Scott: So that and much more in your blog.  

Jen: Yes.  

Scott: Jen, thanks for keeping us informed on the latest from the SEC, and we’ll look forward to having you back again as new rules get adopted. 

Jen: Thanks Scott. 

Jennifer Froberg - Sr SEC Product Specialist

With over 15 years of industry experience in the SEC regulatory landscape, Jennifer supports and advises clients in how to get their filings right. Part of a Toppan Merrill team of EDGAR experts who provide practical compliance expertise in a variety of subjects, Jennifer focuses on analyzing the scope of SEC rulemaking, where the agency is headed and how regulatory changes will impact the filers, investors and the market. She has a particular focus on structured data and ESG initiatives.

Jennifer Froberg - Sr SEC Product Specialist's Photo

Related Insights

When you’re ready to optimize, we’re ready to help.

Contact