Numerous private companies serve as third-party entities to public corporations, consequently facing potential liability for cyber incidents affecting those public entities. Moreover, investors and stakeholders frequently hold private enterprises to comparable standards as their public counterparts. The SEC’s recent regulatory pronouncements offer insight into forthcoming cybersecurity legislation, much of which extends beyond the realm of public companies.

The disclosure requirements concerning cybersecurity risk assessment and strategy (Regulation S-K Item 106(b)) are designed to ensure a uniform and comparable portrayal of cybersecurity risk management initiatives, shedding light on program functionalities, strategies, and efficacy.

Under this regulation, companies will need to confirm the existence of a cybersecurity risk assessment program, outline its operations, its integration into overall risk management, and any involvement of third-party entities. Particularly noteworthy is the obligation to disclose whether cybersecurity threats have had, or are expected to have, a material impact on the company’s business strategy, operational outcomes, or financial status.

(1) Disclosure of material cybersecurity incidents. For domestic registrants, this disclosure must be filed on Form 8-K within four business days of determining that a cybersecurity incident is material. For foreign private issuers (“FPIs”),[2] this disclosure must be furnished on Form 6-K promptly after the incident is disclosed or otherwise publicized (or is required to be disclosed or publicized) in a foreign jurisdiction, to any stock exchange, or to security holders.

(2) Annual disclosure of cybersecurity risk management, strategy, and governance. For domestic registrants, this disclosure is made on Form 10-K. For FPIs, this disclosure is made on Form 20-F.”

Risk Management, Strategy, and Governance Disclosure

“The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by FPIs in their annual reports on Form 20-F.

Specifically, with respect to risk management, Item 106 and Item 16K require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances.

With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats.”