SEC modernizes cybersecurity reporting for public companies: Inline XBRL overview

5 minute read
Featured Image

Overview

The SEC adopted a new cybersecurity reporting rule affecting domestic and foreign private issuers. Issuers will be required to iXBRL (Inline XBRL) tag their new disclosures as a part of the SEC’s ongoing modernization efforts to mandate more structured data reporting.

The SEC charged SolarWinds and their chief information security officer on Oct. 30, 2023, with fraud and internal control failures related to known systemic cybersecurity risks and breaches. It is vital for investors in public companies to be aware of any material cybersecurity incidents that a company experiences and their practices to manage those cyber threats.  The SEC adopted a new rule intended to modernize cybersecurity disclosure and improve transparency for public companies.

Issuers will be required to report 1) any material cybersecurity incidents, such as a data breach or hack, and 2) to report their ongoing cyber risk management and governance practices. The new requirements update an outdated disclosure framework based on SEC guidance from 2011.

The new disclosures will be required to be Inline XBRL tagged as part of the SEC’s ongoing modernization efforts to mandate more structured data reporting, primarily XML and iXBRL. The SEC is expected to also adopt similar cybersecurity rules for Mutual Funds in the near future.

Click here to listen to a recent On The Dot episode with an overview of the new cybersecurity disclosure requirements.

New Cybersecurity Incident reporting

Domestic and foreign private issuers (FPIs) will be required to disclose material cyber security incidents under the new rule.

Domestic issuers

  • Report any cybersecurity incident the issuer determines to be material on Form 8-K using new Item 1.05 within four business days of the determination (not when the incident occurred)
  • The filing should disclose the nature, scope and timing of the incident and the likely impact, such as financial or operational
  • Any updates must be reported as an amendment (e.g. 8-K/A) to the initial report
  • The SEC will provide a mechanism to delay reporting if the incident affects sensitive matters such as national security

Foreign private issuers

  • Furnish information on Form 6-K
    • of any cybersecurity incident they deem to be material and
    • which they are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to their security holders
  • Unlike the new Form 8-K requirements, there is no specific timing requirement to file a 6-K cyber incident report`

Note: Only FPIs who file on Form 20-F are required to comply. The new rules do not apply to Canadian issuers (MJDS) who file on Form 40-F.

Cybersecurity Incident determination

Under the new rule, a company is only required to disclose a cybersecurity incident if they determine it to be material. The materiality threshold is unique to each company and their circumstances. Issuers may use a range of criteria to decide when a cyber incident should be reported. Factors can include technical, security, financial or operational impact and potential harm to their reputation. In light of the new SEC rule, issuers should examine their cybersecurity incident assessment protocols to ensure there are no gaps in their internal controls.

The SEC discusses the potential lag in reporting an incident: “When disclosures about cybersecurity breaches are made, they may not be timely or consistent. Because of the lack of consistency in when and how companies currently disclose incidents, it is difficult to assess quantitatively the timeliness of disclosures under current practices. According to Audit Analytics data, in 2021, it took on average of 42 days for companies to discover breaches, and then it took an average of 80 days and a median of 56 days for companies to disclose a breach after its discovery. This data does not tell us when disclosure occurs relative to companies’ materiality determinations.”  The SEC and market will pay attention to the timing of future 8-K filings to report a cyber incident.

New Cybersecurity risk management and corporate governance practices annual disclosures

Under new Item 106 of Regulation S-K, issuers will be required to disclose their cybersecurity risk management and governance practices in their annual reports.

Domestic issuers

  • Report annually on Form 10-K
    • Their processes to assess, identify and manage cybersecurity risks and threats and if any of those have or are likely to materially affect them
    • The board’s oversight of risks from cybersecurity threats
    • Management’s role in assessing and managing material risks from cybersecurity threats

Foreign private issuers

  • Report annually on Form 20-F
    • The board’s oversight of risks from cybersecurity threats
    • Management’s role in assessing and managing material risks from cybersecurity threats

While the new annual cybersecurity disclosures are not subject to audit standards, companies should use this opportunity to evaluate their existing cybersecurity risk management program and implement any changes needed to align with the new SEC disclosure requirements. A company’s SOX processes and internal control failures could be connected to cybersecurity risk. Companies can benefit from utilizing a third-party risk management assessment.

Compliance timing and Inline XBRL tagging requirements

Issuers will be required to report the new disclosures beginning: 

  • Item 106 cybersecurity risk management and governance practices reporting, beginning with annual reports for fiscal years ending on or after Dec. 15, 2023
  • Cybersecurity incident reporting on Form 6-K or 8-K is required:
    • for all filers that are NOT a Smaller Reporting Company beginning Dec. 18, 2023
    • Smaller Reporting Companies (SRC) beginning June 15, 2024

Inline XBRL tagging compliance

  • Item 106 cybersecurity risk management and governance practices disclosure Inline XBRL tagging for all registrants, beginning with annual reports for fiscal years ending on or after Dec. 15, 2024; and
  • Item 1.05 of Form 8-K and Form 6-K for all registrants Inline XBRL tagging, beginning Dec. 18, 2024

The new tagging requirements for cybersecurity incidents expand the current iXBRL tagging for the first time to the body of 6-K and 8-K filings. Currently, only some financial statements filed with a 6-K or 8-K and the 8-K cover are required to be tagged. The SEC expansion of Inline XBRL continues across all types of filers and form types.

How Toppan Merrill can help

Toppan Merrill is here to help issuers prepare to comply with the new SEC disclosure requirements and manage related SOX considerations. Visit our SEC reporting and SOX compliance pages to learn more – or connect with one of our experts at [email protected] or by calling 800.688.4400.

Resources:

Jennifer Froberg - Sr SEC Product Specialist

With over 15 years of industry experience in the SEC regulatory landscape, Jennifer supports and advises clients in how to get their filings right. Part of a Toppan Merrill team of EDGAR experts who provide practical compliance expertise in a variety of subjects, Jennifer focuses on analyzing the scope of SEC rulemaking, where the agency is headed and how regulatory changes will impact the filers, investors and the market. She has a particular focus on structured data and ESG initiatives.

Jennifer Froberg - Sr SEC Product Specialist's Photo

Related Insights

When you’re ready to optimize, we’re ready to help.

Contact