Every week there is news of another cybersecurity breach. It has become almost routine to see headlines of a cybersecurity hack or be notified that our personal data may be compromised. The SEC has not required this same level of notice to the market and investors from public companies about cybersecurity. Since 2011, the SEC posted guidance advising companies to ensure they disclose relevant cybersecurity information. The guidance did not take into account many developments that have occurred since it was issued. And many companies did not adhere to the SEC guidance though and some major cybersecurity incidents were reported in the news but not in SEC filings. In 2023, the SEC adopted a final rule to fill this disclosure gap. Beginning in 2023, filers were required to provide specific disclosures regarding their material cybersecurity incidents and cybersecurity risk management. Beginning December 18, 2024, public companies will need to Inline XBRL tag these disclosures, providing greater transparency to investors.
Strong cybersecurity corporate governance
On December 4, 2024, my colleague Tina Hong, and Ola James, IT Senior Director with AXIA Partners, hosted a webinar on cybersecurity management and resiliency. Similar to the established SOX internal controls over financial reporting (ICFR), companies need a robust set of practices and frameworks to manage cyber risks and respond to cybersecurity incidents. This framework will help companies to mitigate issues and respond and report quickly and effectively when an incident does occur.
iXBRL tagging cybersecurity disclosures
In the last decade, the SEC has dramatically increased their adoption of structured data, including XML and Inline XBRL. Inline XBRL (iXBRL) combines the tagging and disclosure in one HTML file that is both human and machine readable. The tagging provides improved disclosures by validating the information reported and allows for greater analysis and comparison by regulators and investors. The SEC implemented the CYD taxonomy to tag relevant cyber data in filings. The iXBRL tagging will allow the marketplace to compare cybersecurity incidents and risks across filings and filers.
Cybersecurity incidents
- Filers are required to report and tag any material cybersecurity incident on Form 8-K under new Item 1.05 within four business days after the filer determines that the incident is material.
- The nature, scope, and timing of any incident is required to be disclosed.
- Registrants must file an amendment (8-K/A) if they have updated information to report. Considering security concerns, the SEC allows filers to withhold or delay reporting sensitive information.
- Foreign Private Issuers (FPIs) have similar cybersecurity incident reporting requirements on Form 6-K.
- Previous disseminated 6-K and 8-K filings reporting a “cybersecurity incident” are helpful for filers to review if they need to report an incident.
Annual disclosures
Filers are required to report annually under new Item 106 of Regulation S-K:
- Domestic issuers must disclose in their annual reports on Form 10-K the company’s cybersecurity risk management and strategy, including their risk factors, financial and operation impact from incidents, corporate policies, and practices.
- Foreign Private Issuers who file on Form 20-F must disclose their cybersecurity governance in their annual report.
- Inline XBRL tagging for all annual report disclosures begins for fiscal years ending on or after December 15, 2024.
Note: Canadian issuers who file on Form 40-F filers are exempt from these reporting requirements.
Filers should prepare now for the new iXBRL tagging requirements and ensure your service provider is ready for the SEC requirements. The tagging will provide new transparency to the market about cybersecurity and corporate governance practices for public companies.
How Toppan Merrill can help
Toppan Merrill is here to help issuers comply with the new SEC disclosure requirements and manage related SOX considerations. Visit our SEC reporting and SOX compliance pages to learn more – or connect with one of our experts at [email protected] or by calling 800.688.4400.
