Why did the SEC issue this rule?? How did the SEC respond to comments on the rule proposal? Did the SEC do too little? or too much? or is the f

1

Conformed to Federal Register version

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 229, 232, 239, 240, and 249

[Release Nos. 33-11216; 34-97989; File No. S7-09-22]

RIN 3235-AM89

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

AGENCY: Securities and Exchange Commission.

ACTION: Final rule.

SUMMARY: The Securities and Exchange Commission (“Commission”) is adopting new rules

to enhance and standardize disclosures regarding cybersecurity risk management, strategy,

governance, and incidents by public companies that are subject to the reporting requirements of

the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require

current disclosure about material cybersecurity incidents. We are also adopting rules requiring

periodic disclosures about a registrant’s processes to assess, identify, and manage material

cybersecurity risks, management’s role in assessing and managing material cybersecurity risks,

and the board of directors’ oversight of cybersecurity risks. Lastly, the final rules require the

cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language

(“Inline XBRL”).

DATES: Effective date: The amendments are effective September 5, 2023.

Compliance dates: See Section II.I (Compliance Dates).

FOR FURTHER INFORMATION CONTACT: Nabeel Cheema, Special Counsel, at (202)

551-3430, in the Office of Rulemaking, Division of Corporation Finance; and, with respect to the

application of the rules to business development companies, David Joire, Senior Special

2

Counsel, at (202) 551-6825 or [email protected], Chief Counsel’s Office, Division of Investment

Management, U.S. Securities and Exchange Commission, 100 F Street NE, Washington, DC

20549.

SUPPLEMENTARY INFORMATION: We are adopting amendments to:

Commission Reference CFR Citation (17 CFR)

Regulation S-K §§ 229.10 through 229.1305 Items 106 and 601 §§ 229.106 and 229.601 Regulation S-T §§ 232.10 through 232.903 Rule 405 § 232.405

Securities Act of 1933 (“Securities Act”)1

Form S-3 § 239.13

Securities Exchange Act of 1934 (“Exchange Act”)2

Rule 13a-11 § 240.13a-11

Rule 15d-11 § 240.15d-11 Form 20-F § 249.220f Form 6-K § 249.306 Form 8-K § 249.308 Form 10-K § 249.310

1 15 U.S.C. 77a et seq. 2 15 U.S.C. 78a et seq.

3

Table of Contents I. Introduction and Background ……………………………………………………………………………………. 5 II. Discussion of Final Amendments …………………………………………………………………………….. 13

A. Disclosure of Cybersecurity Incidents on Current Reports ……………………………………. 13 1. Proposed Amendments ……………………………………………………………………………………. 13 2. Comments ……………………………………………………………………………………………………… 16 3. Final Amendments ………………………………………………………………………………………….. 27

B. Disclosures about Cybersecurity Incidents in Periodic Reports ……………………………… 46 1. Proposed Amendments ……………………………………………………………………………………. 46 2. Comments ……………………………………………………………………………………………………… 48 3. Final Amendments ………………………………………………………………………………………….. 50

C. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks …………………………………………………………………………………………………… 53

1. Risk Management and Strategy ………………………………………………………………………… 53 a. Proposed Amendments ………………………………………………………………………………. 53 b. Comments ………………………………………………………………………………………………… 56 c. Final Amendments …………………………………………………………………………………….. 60

2. Governance ……………………………………………………………………………………………………. 65 a. Proposed Amendments ………………………………………………………………………………. 65 b. Comments ………………………………………………………………………………………………… 67 c. Final Amendments …………………………………………………………………………………….. 68

3. Definitions……………………………………………………………………………………………………… 71 a. Proposed Definitions ………………………………………………………………………………….. 71 b. Comments ………………………………………………………………………………………………… 72 c. Final Definitions ……………………………………………………………………………………….. 75

D. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise ………………….. 81 1. Proposed Amendments ……………………………………………………………………………………. 81 2. Comments ……………………………………………………………………………………………………… 82 3. Final Amendments ………………………………………………………………………………………….. 85

E. Disclosure by Foreign Private Issuers…………………………………………………………………. 85 1. Proposed Amendments ……………………………………………………………………………………. 85 2. Comments ……………………………………………………………………………………………………… 86 3. Final Amendments ………………………………………………………………………………………….. 87

F. Structured Data Requirements …………………………………………………………………………… 88 1. Proposed Amendments ……………………………………………………………………………………. 88 2. Comments ……………………………………………………………………………………………………… 88 3. Final Amendments ………………………………………………………………………………………….. 88

G. Applicability to Certain Issuers …………………………………………………………………………. 89 1. Asset-Backed Issuers ………………………………………………………………………………………. 89 2. Smaller Reporting Companies ………………………………………………………………………….. 91

H. Need for New Rules and Commission Authority …………………………………………………. 93 I. Compliance Dates ………………………………………………………………………………………….. 107

III. OTHER MATTERS……………………………………………………………………………………………… 107 IV. ECONOMIC ANALYSIS …………………………………………………………………………………….. 108

A. Introduction …………………………………………………………………………………………………… 108

4

B. Economic Baseline…………………………………………………………………………………………. 112 1. Current Regulatory Framework ………………………………………………………………………. 112 2. Affected Parties …………………………………………………………………………………………….. 117

C. Benefits and Costs of the Final Rules ……………………………………………………………….. 118 1. Benefits ……………………………………………………………………………………………………….. 119

a. More Timely and Informative Disclosure……………………………………………………. 119 b. Greater Uniformity and Comparability ……………………………………………………….. 130

2. Costs ……………………………………………………………………………………………………………. 134 3. Indirect Economic Effects………………………………………………………………………………. 143

D. Effects on Efficiency, Competition, and Capital Formation …………………………………. 145 E. Reasonable Alternatives………………………………………………………………………………….. 146

1. Website Disclosure ……………………………………………………………………………………….. 146 2. Disclosure through Periodic Reports ……………………………………………………………….. 147 3. Exempt Smaller Reporting Companies …………………………………………………………….. 148

V. PAPERWORK REDUCTION ACT ……………………………………………………………………….. 150 A. Summary of the Collections of Information ………………………………………………………. 150 B. Summary of Comment Letters and Revisions to PRA Estimates ………………………….. 151 C. Effects of the Amendments on the Collections of Information …………………………….. 152 D. Incremental and Aggregate Burden and Cost Estimates for the Final Amendments .. 154

VI. FINAL REGULATORY FLEXIBILITY ANALYSIS ……………………………………………… 158 A. Need for, and Objectives of, the Final Amendments …………………………………………… 158 B. Significant Issues Raised by Public Comments ………………………………………………….. 158

1. Estimate of Affected Small Entities and Impact to Those Entities ……………………….. 160 2. Consideration of Alternatives …………………………………………………………………………. 162

C. Small Entities Subject to the Final Amendments ……………………………………………….. 165 D. Projected Reporting, Recordkeeping, and other Compliance Requirements …………… 165 E. Agency Action to Minimize Effect on Small Entities …………………………………………. 166

Statutory Authority ……………………………………………………………………………………………………… 169

5

I. Introduction and Background

On March 9, 2022, the Commission proposed new rules, and rule and form amendments,

to enhance and standardize disclosures regarding cybersecurity risk management, strategy,

governance, and cybersecurity incidents by public companies that are subject to the reporting

requirements of the Exchange Act.3 The proposal followed on interpretive guidance on the

application of existing disclosure requirements to cybersecurity risk and incidents that the

Commission and staff had issued in prior years.

In particular, in 2011, the Division of Corporation Finance issued interpretive guidance

providing the Division’s views concerning operating companies’ disclosure obligations relating

to cybersecurity (“2011 Staff Guidance”).4 In that guidance, the staff observed that “[a]lthough

no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a

number of disclosure requirements may impose an obligation on registrants to disclose such risks

and incidents,” and further that “material information regarding cybersecurity risks and cyber

incidents is required to be disclosed when necessary in order to make other required disclosures,

in light of the circumstances under which they are made, not misleading.”5 The guidance pointed

specifically to disclosure obligations under 17 CFR 229.503 (Regulation S-K “Item 503(c)”)

(Risk factors) (since moved to 17 CFR 229.105 (Regulation S-K “Item 105”)), 17 CFR 229.303

(Regulation S-K “Item 303”) (Management’s discussion and analysis of financial condition and

results of operations), 17 CFR 229.101 (Regulation S-K “Item 101”) (Description of business),

17 CFR 229.103 (Regulation S-K “Item 103”) (Legal proceedings), and 17 CFR 229.307

3 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11038

(Mar. 9, 2022) [87 FR 16590 (Mar. 23, 2022)] (“Proposing Release”). 4 See CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011), available at

https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 5 Id.

6

(Disclosure controls and procedures), as well as to Accounting Standards Codifications 350-40

(Internal-Use Software), 605-50 (Customer Payments and Incentives), 450-20 (Loss

Contingencies), 275-10 (Risks and Uncertainties), and 855-10 (Subsequent Events).6

In 2018, “[i]n light of the increasing significance of cybersecurity incidents,” the

Commission issued interpretive guidance to reinforce and expand upon the 2011 Staff Guidance

and also address the importance of cybersecurity policies and procedures, as well as the

application of insider trading prohibitions in the context of cybersecurity (“2018 Interpretive

Release”).7 In addition to discussing the provisions previously covered in the 2011 Staff

Guidance, the new guidance addressed 17 CFR 229.407 (Regulation S-K “Item 407”) (Corporate

Governance), 17 CFR Part 210 (“Regulation S-X”), and 17 CFR Part 243 (“Regulation FD”).8

The 2018 Interpretive Release noted that companies can provide current reports on Form 8-K

and Form 6-K to maintain the accuracy and completeness of effective shelf registration

statements, and it also advised companies to consider whether it may be appropriate to

implement restrictions on insider trading during the period following an incident and prior to

disclosure.9

As noted in the Proposing Release, current disclosure practices are varied. For example,

while some registrants do report material cybersecurity incidents, most typically on Form 10-K,

review of Form 8-K, Form 10-K, and Form 20-F filings by staff in the Division of Corporation

Finance has shown that companies provide different levels of specificity regarding the cause,

scope, impact, and materiality of cybersecurity incidents. Likewise, staff has also observed that,

6 Id. 7 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-

10459 (Feb. 21, 2018) [83 FR 8166 (Feb. 26, 2018)], at 8167. 8 Id. 9 Id.

7

while the majority of registrants that are disclosing cybersecurity risks appear to be providing

such disclosures in the risk factor section of their annual reports on Form 10-K, the disclosures

are sometimes included with other unrelated disclosures, which makes it more difficult for

investors to locate, interpret, and analyze the information provided.10

In the Proposing Release, the Commission explained that a number of trends underpinned

investors’ and other capital markets participants’ need for more timely and reliable information

related to registrants’ cybersecurity than was produced following the 2011 Staff Guidance and

the 2018 Interpretive Release. First, an ever-increasing share of economic activity is dependent

on electronic systems, such that disruptions to those systems can have significant effects on

registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole.11

Second, there has been a substantial rise in the prevalence of cybersecurity incidents, propelled

by several factors: the increase in remote work spurred by the COVID-19 pandemic; the

increasing reliance on third-party service providers for information technology services; and the

rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and

crypto-asset technology.12 Third, the costs and adverse consequences of cybersecurity incidents

to companies are increasing; such costs include business interruption, lost revenue, ransom

payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost

assets, litigation risks, and reputational damage.13

10 See infra Section IV.A (noting that current cybersecurity disclosures appear in varying sections of companies’

periodic and current reports and are sometimes included with other unrelated disclosures). 11 Proposing Release at 16591-16592. See also U.S. FINANCIAL STABILITY OVERSIGHT COUNCIL, ANNUAL

REPORT (2021), at 168, available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf (finding that “a destabilizing cybersecurity incident could potentially threaten the stability of the U.S. financial system”).

12 Proposing Release at 16591-16592. 13 Id.

8

Since publication of the Proposing Release, these trends have continued apace, with

significant cybersecurity incidents occurring across companies and industries. For example,

threat actors repeatedly and successfully executed attacks on high-profile companies across

multiple critical industries over the course of 2022 and the first quarter of 2023, causing the

Department of Homeland Security’s Cyber Safety Review Board to initiate multiple reviews.14

Likewise, state actors have perpetrated multiple high-profile attacks, and recent geopolitical

instability has elevated such threats.15 A recent study by two cybersecurity firms found that 98

percent of organizations use at least one third-party vendor that has experienced a breach in the

last two years.16 In addition, recent developments in artificial intelligence may exacerbate

cybersecurity threats, as researchers have shown that artificial intelligence systems can be

leveraged to create code used in cyberattacks, including by actors not versed in programming.17

Overall, evidence suggests companies may be underreporting cybersecurity incidents.18

14 See Department of Homeland Security, Cyber Safety Review Board to Conduct Second Review on Lapsus$

(Dec. 2, 2022), available at https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second- review-lapsus; see also Tim Starks, The Latest Mass Ransomware Attack Has Been Unfolding For Nearly Two Months, WASH. POST (Mar. 27, 2023), available at https://www.washingtonpost.com/politics/2023/03/27/latest- mass-ransomware-attack-has-been-unfolding-nearly-two-months/.

15 See, e.g., Press Release, Federal Bureau of Investigation, FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft (Jan. 23, 2023), available at https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys- horizon-bridge-currency-theft; Alert (AA22-257A), Cybersecurity & Infrastructure Security Agency, Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (Sep. 14, 2022), available at https://www.cisa.gov/uscert/ncas/alerts/aa22-257a; National Security Agency et al., Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure (Apr. 20, 2022), available at https://media.defense.gov/2022/Apr/20/2002980529/-1/-1/1/joint_csa_russian_state- sponsored_and_criminal_cyber_threats_to_critical_infrastructure_20220420.pdf.

16 SecurityScorecard, Cyentia Institute and SecurityScorecard Research Report: Close Encounters of the Third (and Fourth) Party Kind (Feb 1, 2023), available at https://securityscorecard.com/research/cyentia-close- encounters-of-the-third-and-fourth-party-kind/.

17 Check Point Research, OPWNAI: AI that Can Save the Day or Hack it Away (Dec. 19, 2022), available at https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away.

18 Bitdefender, Whitepaper: Bitdefender 2023 Cybersecurity Assessment (Apr. 2023), available at https://businessresources.bitdefender.com/bitdefender-2023-cybersecurity-assessment.

9

Legislatively, we note two significant developments occurred following publication of

the Proposing Release. First, the President signed into law the Cyber Incident Reporting for

Critical Infrastructure Act of 2022 (“CIRCIA”)19 on March 15, 2022, as part of the Consolidated

Appropriations Act of 2022.20 The centerpiece of CIRCIA is the reporting obligation placed on

companies in defined critical infrastructure sectors.21 Once rules are adopted by the

Cybersecurity & Infrastructure Security Agency (“CISA”), these companies will be required to

report covered cyber incidents to CISA within 72 hours of discovery, and report ransom

payments within 24 hours.22 Importantly, reports made to CISA pursuant to CIRCIA will remain

confidential; while the information contained therein may be shared across Federal agencies for

cybersecurity, investigatory, and law enforcement purposes, the information may not be

disclosed publicly, except in anonymized form.23 We note that CIRCIA also mandated the

creation of a “Cyber Incident Reporting Council . . . to coordinate, deconflict, and harmonize

Federal incident reporting requirements” (the “CIRC”), of which the Commission is a member.24

Second, on December 21, 2022, the President signed into law the Quantum Computing

Cybersecurity Preparedness Act, which directs the Federal Government to adopt technology that

is protected from decryption by quantum computing, a developing technology that may increase

19 Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, 136 Stat. 1038 (2022). 20 Consolidated Appropriations Act of 2022, H.R. 2471, 117th Cong. (2022). 21 The sectors are defined in Presidential Policy Directive / PPD-21, Critical Infrastructure Security and Resilience

(Feb. 12, 2013), as: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; Water and Wastewater Systems. Because these sectors encompass some private companies and do not encompass all public companies, CIRCIA’s reach is both broader and narrower than the set of companies subject to the rules we are adopting.

22 6 U.S.C. 681b(a)(1). 23 6 U.S.C. 681e. See infra Section II.A.3 for a discussion of why our final rules serve a different purpose and are

not at odds with the goals of CIRCIA. 24 6 U.S.C. 681f.

10

computer processing capacity considerably and thereby render existing computer encryption

vulnerable to decryption.25

We received over 150 comment letters in response to the Proposing Release.26 The

majority of comments focused on the proposed incident disclosure requirement, although we also

received substantial comment on the proposed risk management, strategy, governance, and board

expertise requirements. In addition, the Commission's Investor Advisory Committee adopted

recommendations (“IAC Recommendation”) with respect to the proposal, stating that it: supports

the proposed incident disclosure requirement; supports the proposed risk management, strategy,

and governance disclosure requirements; recommends the Commission reconsider the proposed

board of directors’ cybersecurity expertise disclosure requirement; suggests requiring companies

to disclose the key factors they used to determine the materiality of a reported cybersecurity

25 Quantum Computing Cybersecurity Preparedness Act, H.R. 7535, 117th Cong. (2022). More recently, the

White House released a National Cybersecurity Strategy to combat the ongoing risks associated with cyberattacks. The National Cybersecurity Strategy seeks to rebalance the responsibility for defending against cyber threats toward companies instead of the general public, and looks to realign incentives to favor long-term investments in cybersecurity. See Press Release, White House, FACT SHEET: Biden- ⁠Harris Administration Announces National Cybersecurity Strategy (Mar. 2, 2023), available at https://www.whitehouse.gov/briefing- room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national- cybersecurity-strategy/.

26 The public comments we received are available at https://www.sec.gov/comments/s7-09-22/s70922.htm. On Mar. 9, 2022, the Commission published the Proposing Release on its website. The comment period for the Proposing Release was open for 60 days from issuance and publication on SEC.gov and ended on May 9, 2022. One commenter asserted that the comment period was not sufficient and asked the Commission to extend it by 30 days. See letter from American Chemistry Council (“ACC”). In Oct. 2022, the Commission reopened the comment period for the Proposing Release and other rulemakings because certain comments on the Proposing Release and other rulemakings were potentially affected by a technological error in the Commission’s internet comment form. See Resubmission of Comments and Reopening of Comment Periods for Several Rulemaking Releases Due to a Technological Error in Receiving Certain Comments, Release No. 33-11117 (Oct. 7, 2022) [87 FR 63016 (Oct. 18, 2022)] (“Reopening Release”). The Reopening Release was published on the Commission’s website on Oct. 7, 2022 and in the Federal Register on Oct. 18, 2022, and the comment period ended on Nov. 1, 2022. A few commenters asserted that the comment period for the reopened rulemakings was not sufficient and asked the Commission to extend the comment period for those rulemakings. See, e.g., letters from Attorneys General of the states of Montana et al. (Oct. 24, 2022) and U.S. Chamber of Commerce (Nov. 1, 2022). We have considered all comments received since Mar. 9, 2022 and do not believe an additional extension of the comment period is necessary.

11

incident; and suggests extending the proposed 17 CFR 229.106 (Regulation S-K “Item 106”)

disclosure requirements to registration statements.27

We are making a number of important changes from the Proposing Release in response to

comments received. With respect to incident disclosure, we are narrowing the scope of

disclosure, adding a limited delay for disclosures that would pose a substantial risk to national

security or public safety, requiring certain updated incident disclosure on

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.