For those foreign private issuers out there struggling to keep up with the SEC’s recent spate of rulemaking – we don’t blame you.
In their latest new rule adopted on 26 July 2023, the SEC will require, among other things, additional cybersecurity disclosures in annual reports filed by foreign private issuers on Form 20-F. We expect the new rules to apply for annual reports filed in respect of fiscal years ended on or after 15 December 2023 – this means the next Form 20-F for companies with a calendar year-end.
The new disclosures are required to describe:
- the issuer’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats;
- whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the issuer;
- the board’s oversight of risks from cybersecurity threats; and
- management’s role in assessing and managing material risks from cybersecurity threats.
Many foreign private issuers with listings in their home jurisdictions will already substantially comply with most or all of these requirements. But, as usual, recycling last year’s disclosure without consideration would be a mistake.
The new rule also requires foreign private issuers to furnish to the SEC on a Form 6-K information regarding material cybersecurity incidents that they disclose under their home country laws, report pursuant to stock exchange requirements or provide to their shareholders. We don’t expect that this will result in increased reporting by UK- and EU-listed foreign private issuers who already furnish all regulatory announcements to the SEC on Form 6-K.
If you would like to discuss this new rulemaking, please reach out to your usual Freshfields contact.