Release, at 88-89. For Item 106 of Regulation S-K, all registrants will need to begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024; and for Item 1.05 of Form 8-K and Form 6-K all registrants will need to begin tagging responsive disclosure in Inline XBRL beginning on December 18, 2024, or 465 days after the date of publication of the Final Rules in the Federal Register, whichever is later.[39] Id. at 36.[40] Id. at 29.[41] Id.at 38.[42] Id. at 36.[43] Id. at 80 (citing TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976) (holding that information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011)).[44] See 17 CFR 230.405.[45] See 17 CFR 240.12b-2.[46] See Adopting Release, at 29-30.[47] Id.[48] See Improving the Quality of Cybersecurity Risk Management Disclosures of Comm’r Jaime Lizárraga (Jul. 26, 2023), available at https://www.sec.gov/news/statement/lizarraga-statement-cybersecurity-072623.[49] See Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure of Comm’r Hester M. Peirce (Jul. 26, 2023), available at https://www.sec.gov/news/statement/peirce-statement-cybersecurity-072623 [hereinafter, the Peirce Statement].[50] See Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure of Comm’r Mark T. Uyeda (Jul. 26, 2023), available at https://www.sec.gov/news/statement/uyeda-statement-cybersecurity-072623.[51] See, e.g., Press Release, US Sec. & Exch. Comm’n, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable D

bersecurity Incident” Borrows From Other CasesThe rule now requires reporting not just a breach, but any “material cybersecurity incident.” Cybersecurity incidents are ubiquitous. An employee sends a set of login credentials to the wrong customer—that is a cybersecurity incident. A customer provides a row of data that improperly combined the information of two separate people and now a single user can see the information for both people—that is a cybersecurity incident. A penetration tester gets past a firewall—that is a cybersecurity incident.The operable question then becomes: What raises a security incident to the level of a “material cybersecurity incident”?To answer this question, the SEC has adopted the materiality standard applied in more traditional securities fraud cases and regulations, including TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011); 17 CFR 230.405 (Securities Act Rule 405); and 17 CFR 240.12b-2 (Exchange Act Rule 12b-2). Specifically, “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’ ‘Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.”If a “material cybersecurity incident” occurs, the registrant must file a Form 8-K and complete the newly added Item 1.05 that requires the disclosure of the following information:when the incident was discovered and whether it is ongoing;a brief description of the nature and scope of the incident;whether any data was stolen, altered, accessed or used for any other unauthorized purpose;the effect of the incident on the registrant’s operations; andwhether the registrant has remediated or is currently re

ng nature of this requirement, arguing that the new rules "break new ground by requiring real-time, forward-looking disclosure" regarding the reasonably likely impact of a breach as well as the requirement to update this information, stating that "[n]o other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment." 8The adopting release notes that "rule's inclusion of 'financial condition and results of operations' is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident." For example, harm to a company's reputation, customer or vendor relationships, or competitiveness may have a material impact on the company, as could the possibility of litigation or regulatory investigations or actions. 9TSC Indus. v. Northway, 426 U.S. 438, 449 (1976); Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic, 485 U.S. at 240. Also see 17 CFR 230.405 (Securities Act Rule 405) and 17 CFR 240.12b-2 (Exchange Act Rule 12b-2). 10 See footnote 124 of the adopting release. 11The complete definition is “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” See new Item 106(a). 12The adopting release points to the proposing release for examples of cybersecurity incidents that may, if determined by the company to be material, trigger the proposed Item 1.05 disclosure requirement, including: “An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data; [a]n unauthorized i

eXtensible Business Reporting Language (XBRL).Compliance Requirements of the Adopted AmendmentsMost issuers will be required to disclose the quantitative data as an exhibit to, and provide the narrative disclosures on, their Forms 10-Q and 10-K beginning with the first filing that covers the first full fiscal quarter that begins on or after Oct. 1, 2023.FPIs will need to disclose the quantitative data on the new Form F-SR beginning with the Form F-SR that covers the first full fiscal quarter that begins on or after April 1, 2024, and provide the narrative disclosure starting with the first Form 20-F filed after their first Form F-SR has been filed.Listed closed-end funds will need to disclose the quantitative data and provide the narrative disclosure on Form N-CSR beginning with the Form N-CSR that covers the first six-month period that begins on or after Jan. 1, 2024.The full release containing the SEC’s adopted amendments can be found here.[1] “Foreign private issuer” is defined in 17 CFR 230.405 (Securities Act Rule 405) and 17 CFR 240.3b-4 as any foreign issuer other than a foreign government except for an issuer meeting the following conditions as of the last business day of its most recently completed second fiscal quarter: (1) More than 50 percent of the issuer’s outstanding voting securities are directly or indirectly held of record by residents of the United States; and (2) any of the following: (i) the majority of the executive officers or directors are United States citizens or residents, (ii) more than 50 percent of the assets of the issuer are located in the United States, or (iii) the business of the issuer is administered principally in the United States.[2] See our previously published Client Alert regarding these rules at https://www.bakerlaw.com/SEC-Adopts-Amendments-to-Rule-10b5-1.[View source.]

The Commission’s rules define a smaller reporting company to mean an issuer that is not an investment company, an asset-backed issuer or a majority-owned subsidiary of a parent that is not a smaller reporting company and that (1) had a public float of less than $250 million or (2) had annual revenues of less than $100 million and either (i) no public float or (ii) a public float of less than $700 million. See 17 CFR 229.10(f)(1), 230.405 and 17 CFR 240.12b-2.Proposed Rule at 405.

5 The SEC’s rules define “smaller reporting company” or “SRC” to mean “an issuer that is not an investment company, an asset-backed issuer, or a majority-owned subsidiary of a parent that is not a smaller reporting company and that: (1) had a public float of less than $250 million; or (2) had annual revenues of less than $100 million and either: (i) no public float; or (ii) a public float of less than $700 million.” Seeid. at 48 n.143 (citing 17 CFR 229.10(f)(1), 230.405, and 17 CFR 240.12b-2).6 “GHG emissions” would be defined as direct and indirect emissions of greenhouse gases expressed in metric tons of carbon dioxide equivalent (CO2e), of which: (1) direct emissions are GHG emissions from sources that are owned or controlled by a registrant. (2) indirect emissions are GHG emissions that result from the activities of the registrant, but occur at sources not owned or controlled by the registrant.

6 Id. See also the definition of “material” in Securities Act Rule 405, 17 CFR 230.405; Exchange Act Rule 12b-2, 17 CFR 240.12b-2.

Remarks at the 37th Annual Conference on Securities Regulation and Business Law, (Feb. 13, 2015), available at http://www.sec.gov/news/speech/021315-spc-cdmg.html.[9] See 15 U.S.C. § 78mm(a)(1).[10] See 17 C.F.R. § 230.405 (definition of “ineligible issuer”).[11] 15 U.S.C. § 80a-9(a).

That issuer continues to be an EGC for the first five fiscal years after the date of the first sale of its common equity securities pursuant to an effective registration statement, unless it surpasses certain thresholds for annual gross revenue or issuance of nonconvertible debt or becomes a large accelerated filer as defined under the Exchange Act of 1934.2 U.S. Securities and Exchange Commission Division of Corporate Finance, Revised Statement on Well-Known Seasoned Issuer Waivers (Apr. 24, 2014). For the definition of a WSKI, see 17 C.F.R. § 230.405.

[lv] Id. [lvi] See, e.g., 15 U.S.C. § 77z–2 (Private Securities Litigation Reform Act, defining eligibility for safe harbor for forward looking statements); 15 U.S.C. § 80a-9 (Section 9(a) of the Investment Company Act of 1940, defining ineligible statuses); 17 C.F.R. § 230.405 (Securities Act Rule 405, defining well-known seasoned issuer); 17 C.F.R. § 230.506 (Securities Act Rule 506(d), defining “Bad Actor” disqualification); and 17 C.F.R. § 230.