The Securities and Exchange Commission (“SEC”) adopted new rules requiring the disclosure of cybersecurity risk management, strategy, governance and material incidents (the “Rules”), effective September 5, 2023. The Rules apply to U.S. domestic companies and foreign private issuers (“FPIs”). Canadian issuers reporting under the U.S.-Canada Multijurisdictional Disclosure System (“MJDS”) will be impacted to the extent that they are required to report material cybersecurity incidents in accordance with applicable Canadian rules.
New Disclosure Requirements
Cybersecurity threats and incidents pose an ongoing and escalating risk to public companies. The SEC has indicated that it adopted the Rules to promote sound investment decision-making by providing investors with information in a consistent format that can be used to evaluate and compare issuers with respect to their exposure to material cybersecurity risks and incidents, as well as their ability to manage and mitigate them.
Incident reporting
The SEC defines a “cybersecurity incident” as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the…
