Download:
pdf |
pdfSUPPORTING STATEMENT FOR PROPOSED RULES RELATING TO
CYBERSECURITY RISK MANAGEMENT, STRATEGY, GOVERNANCE, AND
INCIDENT DISCLOSURE
This supporting statement is part of a submission under the Paperwork Reduction Act of
1995 (“PRA”).1
A.
JUSTIFICATION
1.
CIRCUMSTANCES MAKING THE COLLECTION OF INFORMATION
NECESSARY
On March 9, 2022, the Securities and Exchange Commission (“Commission”) proposed
rules and rule amendments to enhance and standardize disclosures regarding cybersecurity risk
management, strategy, governance, and cybersecurity incident reporting by public companies
that are subject to the reporting requirements of the Securities Exchange Act of 1934 (“Exchange
Act”). 2 Specifically, the Commission proposed amendments to require current reporting about
material cybersecurity incidents. It also proposed to require periodic disclosures about a
registrant’s policies and procedures to identify and manage cybersecurity risks, management’s
role in implementing cybersecurity policies and procedures, and the board of directors’
cybersecurity expertise, if any, and its oversight of cybersecurity risk. Additionally, the
proposed rules would require registrants to provide updates about previously reported
cybersecurity incidents in their periodic reports. Further, the proposed rules would require the
cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language
(“Inline XBRL”).
The proposed amendments contain “collection of information” requirements within the
meaning of the PRA. The titles for the collection of information are:
•
•
•
•
•
•
•
2.
Schedule 14C (OMB Control No. 3235-0057);
Schedule 14A (OMB Control No. 3235-0059);
Form 8-K (OMB Control No. 3235-0060);
Form 10-K (OMB Control No. 3235-0063);
Form 10-Q (OMB Control No. 3235–0070);
Form 6-K (OMB Control No. 3235-0116); and
Form 20-F (OMB Control No. 3235-0288).
PURPOSE AND USE OF THE INFORMATION COLLECTION
The proposed amendments are intended to better inform investors about a registrant’s
cybersecurity risk management, strategy, and governance and to provide timely notification of
material cybersecurity incidents.
1
44 U.S.C. §3501, et seq.
2
See Release No. 34-11038 (Mar. 9, 2022) [87 FR 16590 (Mar. 23, 2022)] (“proposed amendments”).
1
�3.
CONSIDERATION GIVEN TO INFORMATION TECHNOLOGY
The forms that would be affected by the proposed amendments are filed electronically
with the Commission using the Commission’s Electronic Data Gathering and Retrieval
(“EDGAR”) system.
We are also proposing to require registrants to tag the information specified by Item 1.05
of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL in accordance with
Rule 405 of Regulation S-T (17 CFR 232.405) and the EDGAR Filer Manual.3 The proposed
requirements would include block text tagging of narrative disclosures, as well as detail tagging
of quantitative amounts disclosed within the narrative disclosures. Inline XBRL is both
machine-readable and human-readable, which improves the quality and usability of XBRL data
for investors.4 Requiring Inline XBRL tagging of the disclosures provided pursuant to these
disclosure items would benefit investors by making the disclosures more readily available and
easily accessible to investors, market participants, and others for aggregation, comparison,
filtering, and other analysis, as compared to requiring a non-machine readable data language
such as ASCII or HTML.
4.
DUPLICATION OF INFORMATION
Business development companies (“BDCs”) could be subject to both the proposed rules
and rule amendments in the Division of Investment Management’s cybersecurity proposing
release5 and those proposed in this release if both proposals were to be adopted. To the extent
that BDCs would need to provide substantively the same or similar disclosure on both Form 8-K
and in registration statements, the compliance costs could be duplicative. However, the potential
duplication should not result in a significant increase in compliance costs, because BDCs should
be able to provide similar disclosure for both sets of rules.
3
This tagging requirement would be implemented by including a cross-reference to Rule 405 of Regulation S-T in
proposed Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K, and by revising Rule 405(b) of
Regulation S-T [17 CFR 232.405(b)] to include the listed disclosure Items. In conjunction with the EDGAR Filer
Manual, Regulation S-T governs the electronic submission of documents filed with the Commission. Rule 405 of
Regulation S-T specifically governs the scope and manner of disclosure tagging requirements for operating
companies and investment companies, including the requirement in Rule 405(a)(3) to use Inline XBRL as the
specific structured data language to use for tagging the disclosures.
4
See Inline XBRL Filing of Tagged Data, Securities Act Release No. 10514 (June 28, 2018) [83 FR 40846 (Aug.
16, 2018)]. Inline XBRL allows filers to embed XBRL data directly into an HTML document, eliminating the
need to tag a copy of the information in a separate XBRL exhibit. Inline XBRL is both human-readable and
machine-readable for purposes of validation, aggregation, and analysis. Id. at 40851.
5
See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business
Development Companies, Release No. 34-94197 (Feb. 9, 2022) [87 FR 13524 (Mar. 9, 2022)].
2
�5.
REDUCING THE BURDEN ON SMALL ENTITIES
The proposed amendments would affect some issuers that are small entities. Commission
staff estimates that, as of June 2021, there were 660 issuers,6 and 9 BDCs7 that may be
considered small entities that would be subject to the proposed amendments.
If adopted, the proposed amendments would apply to small entities to the same extent as
other entities, irrespective of size. Therefore, we expect that the nature of any benefits and costs
associated with the proposed amendments to be similar for large and small entities. We
anticipate that the economic benefits and costs likely could vary widely among small entities
based on a number of factors, such as the nature and conduct of their businesses, which makes it
difficult to project the economic impact on small entities with precision. As a general matter,
however, we recognize that the costs of the proposed amendments borne by the affected entities
could have a proportionally greater effect on small entities, as they may be less able to bear such
costs relative to larger entities.
The Commission requested comment on how the proposed disclosure amendments would
affect small entities and will consider ways in the adopting release to ease the regulatory burden
on them, if appropriate.
6.
CONSEQUENCES OF NOT CONDUCTING COLLECTION
The forms were adopted under the Exchange Act and set forth the disclosure
requirements for current reports, periodic reports, and proxy and information statements filed by
registrants to help investors make informed investment and voting decisions. Less frequent
collection would deprive investors of access to information that is important to these decisions.
7.
SPECIAL CIRCUMSTANCES
There are no special circumstances in connection with the proposed amendments.
8.
CONSULTATIONS WITH PERSONS OUTSIDE THE AGENCY
Members of the Commission staff consulted with the Cybersecurity and Infrastructure
Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States
Department of Justice (DOJ) among other federal agencies, commentators, and market
participants. The Commission is currently soliciting public comment on the new “collection of
information” requirements and the associated paperwork burdens.
6
This estimate is based on staff analysis of Form 10-K filings on EDGAR, or amendments thereto, filed during the
calendar year of Jan. 1, 2020 to Dec. 31, 2020, or filed by Sept. 1, 2021, and on data from XBRL filings,
Compustat, and Ives Group Audit Analytics.
7
These estimates are based on staff analysis of Morningstar data and data submitted by investment company
registrants in forms filed on EDGAR as of June 30, 2021.
3
�9.
PAYMENT OR GIFT TO RESPONDENTS
No payment or gift has been provided to any respondents.
10.
CONFIDENTIALITY
All the affected information collections filed with the Commission are available to the
public.
11.
SENSITIVE QUESTIONS
No information of a sensitive nature would be required in connection with the proposed
amendments. These information collections collect basic Personally Identifiable Information
(PII) that may include a name and job title. However, the agency has determined that the
information collections do not constitute a system of record for purposes of the Privacy Act.
Information is not retrieved by a personal identifier. In accordance with Section 208 of the EGovernment Act of 2002, the agency has conducted a Privacy Impact Assessment (PIA) of the
EDGAR system, in connection with these/this collection(s) of information. The EDGAR PIA,
published on March 22, 2023, is provided as a supplemental document and is also available at
https://www.sec.gov/privacy.
12. and 13.
ESTIMATES OF HOUR AND COST BURDENS
The Commission anticipates that new disclosure and submission requirements will
increase the burdens and costs for affected registrants. The Commission derived its burden hour
and cost estimates by estimating the average amount of time it would take a registrant to prepare
and review the required disclosure and submission, as well as the average hourly rate for outside
professionals who assist with such preparation. All of these burden estimates incorporate the
proposed tagging requirements in Rule 405 of Regulation S-T.
Table 1 summarizes the estimated changes in burden attributable to the proposed
amendments for the affected forms and schedules:
Table 1: Estimated Paperwork Burden Associated with the Proposed New Rules
and Amendments
Proposed
Requirements and
Effects
Affected Forms and
Schedules
Estimated Burden Per
Response
Number of Estimated
Affected Responses
Form 8-K, Item 1.05
Form 8-K
10 Hours
200 Filings
•
Require
disclosure
regarding
cybersecurity
incidents.
4
�Form 6-K
Form 6-K
9 Hours
20 Filings
•
Require
disclosure
regarding
cybersecurity
incidents.
Adding Item 106
Disclosures
•
•
Require
disclosure
regarding
policies and
procedures.
(Item 106(b)).
•
Form 10-K
•
Form 20-F
•
Form 10-Q
(Item 106(d))
•
Form 10-K: 15
Hours
•
Form 10-K: 8,292
Filings
•
Form 20-F: 16.5
Hours
•
Form 20-F: 729
Filings
•
Form 10-Q: 5
Hours
•
Form 10-Q: 600
Filings
•
Form 10-K: 1.5
Hours
•
Form 10-K:
Filings: 5,464
Filings
•
Schedule: 14A:
1.5 Hours
•
Schedule 14A:
2,600 Filings
Schedule 14C: 1.5
Hours
•
Schedule 14C:
228 Filings
Require
disclosure
regarding
board and
management
oversight of
cybersecurity
risk. (Item
106(c)).
•
Require
updated
disclosure
regarding
cybersecurity
incidents. (Item
106(d)).
Adding Item 407(j)
disclosures
•
Require
disclosure on
the
cybersecurity
expertise of
members of the
board of
directors of the
registrant, if
any.
•
Form 10-K
•
Schedule 14A
•
Schedule 14C
•
In addition, the Commission’s burden estimates are based on the following:
•
We estimate that 600 of these filings will be increased by five hours due to the
proposed Item 106(d) disclosure.
•
The burden estimate for Form 10-K assumes that Schedules 14A and 14C would
be the primary disclosure documents for the information provided in response to
5
�proposed Item 407(j) of Regulation S-K in connection with proxy and information
statements involving the election of directors. In this case, we assume that the
disclosure would be incorporated by reference in Form 10-K from the proxy or
information statement.
•
Not every filing on Form 6-K and Form 8-K, would include cybersecurity
disclosures. These disclosures would be required only when a registrant has made
the determination that it has experienced a material cybersecurity incident.
Further, in the case of Form 6-K, the registrant would only have to provide the
disclosure if it is required to disclose such information elsewhere.
•
For Form 10-Q, Schedule 14A, and Schedule 14C, not every filing would require
cybersecurity disclosure.
Table 2 below sets forth our estimates of the number of current filings on the forms
which will be affected by the proposed rules. We used this data to extrapolate the effect of these
changes on the paperwork burden for the listed periodic reports.8
Table 2: Estimated Paperwork Burden of Proposed Cybersecurity Disclosure
Form
Current Annual
Responses in PRA
Inventory
Schedule 14A
6,369
Estimated Number of
Filings that Would
Include Cybersecurity
Disclosure
2,600
Schedule 14C
569
228
10-K
8,292
8,292
10-Q
22,925
600
20-F
729
729
8-K
118,387
200
6-K
34,794
20
Table 3 on the next page summarizes the current paperwork burden to prepare and review
the current required disclosure and submissions, including the current annual responses, current
burden hours, and current cost burdens. This information is then compared to the changes in
those respective burdens under the proposed amendments, if adopted and the overall cost and
burden of such implementation of the proposed amendments.
8
The OMB PRA filing inventories represent a three-year average. Averages may not align with the actual number
of filings in any given year.
6
�Table 3. Requested Paperwork Burden under the Proposed Amendments*
Current Burden
Form
Schedule
Current
Annual
Responses
(A)
Current
Burden
Hours
(B)
Current Cost
Burden
(C)
Program Change
Requested Change in Burden
Number
of
Affected
Responses
(D)
Change in
Company
Hours
(E)
Change in
Professional
Costs
(F)
Annual
Respons
es
(G)
(G)=(A)
Burden
Hours
(H) =
(B) + (E)
Cost Burden
(I) =
(C) + (F)
6,369
860,389
$114,684,112
2,600
2,925
$390,000
6,369
863,314
$115,074,112
569
63,901
$8,520,944
228
256.50
$34,200
569
64,158
$8,555,144
8,292
13,988,811
$1,835,594,519
8,292
(Item 106)
99,432
$13,257,600
($12,438,00
0
+$819,600)
8,292
14,088,243
$1,848,852,119
$300,000
22,925
3,100,334
$410,557,154
14A
Schedule
14C
Form 10-K
Form 10-Q
22,925
3,098,084
$410,257,154
600
(93,285
(Item 106)
+
6,147
(407(j)))
2,250
Form 20-F
729
479,667
$576,970,825
729
3,007.125
$3,608,550
729
482,674
$580,579,375
Form 8-K
70,560
445,300
$59,373,418
200
1,500
$200,000
70,560
446,800
$59,573,418
Form 6-K
34,794
227,031
$30,270,780
20
135
$18,000
34,794
227,166
$30,288,780
5,464
(407(j))
* For purposes of the PRA, the requested change in burden hours (column H) is rounded to the nearest whole
number.
14.
COSTS TO FEDERAL GOVERNMENT
The annual cost of reviewing and processing disclosure documents, including registration
statements, post-effective amendments, proxy statements, annual reports and other filings of
operating companies amounted to approximately $131,724,880 in fiscal year 2023, based on the
Commission’s computation of the value of staff time devoted to this activity and related
overhead.
7
�15.
REASON FOR CHANGE IN BURDEN
As explained in further detail in Items 1, 12 and 13 above, changes in burden for
Schedule 14C, Schedule 14A, Form 8-K, Form 10-K, Form 10-Q, Form 6-K, and Form 20-F
would result from the proposed amendments to those rules.
Table 4 below shows the total estimated annual compliance burden, in hours and in costs
that would result from the proposed amendments, if adopted.9 The burden estimates were
calculated by multiplying the estimated number of responses by the estimated average amount of
time it would take a registrant to prepare and review the required information.
Table 4. Calculation of the Incremental Change in Burden Estimates of Current
Responses Resulting from the Proposed Amendments
Collection of
Information
Number of
Estimated
Affected
Responses
(A)a
Burden Hour
Increase per
Response
(B)
Change in
Burden
Hours
(C)
= (A) x (B)
Change in
Professional
Hours
(E)
= (C) x 0.25 or
.75
975
Change in
Professional
Costs
(F)
= (E) x $400
3,900
Change in
Company
Hours
(D)
= (C) x 0.75
or .25
2,925
Schedule 14A
2,600
1.5
Schedule 14C
228
1.5
342
256.50
85.50
$34,200
10-K
8,292
15
124,380
93,285
31,095
$12,438,000
10-K
5,464
1.5
8,196
6,147
2,049
$819,600
10-Q
600
5
3,000
2,250
750
$300,000
20-F
729
16.5
12,028.50
9,021.375
$3,608,550
8-K
200
10
2,000
1,500
500
$200,000
6-K
20
9
180
135
45
$18,000
3,007.125
$390,000
The portion of the burden carried by outside professionals is reflected as a cost, while the
portion of the burden carried by the registrant internally is reflected in hours. For purposes of the
PRA, the Commission estimates that 75 percent of the burden of preparation of Schedule 14A,
Schedule 14C, Form 10-Q, Form 10-K, Form 6-K, and Form 8-K would be carried by the
registrant internally and that 25 percent of the burden of preparation would be carried by outside
professionals. By contrast, the Commission estimates that estimates that 75 percent of the
burden of preparation of Form 20-F would be allocated to outside professionals and 25 percent
of the preparation burden would be allocated internally. In all cases, we estimate that the outside
9
The table’s estimated number of responses aggregates the responses for both the disclosure requirement and the
submission requirement. Some registrants will be counted twice, once for each response. For convenience, the
estimated hour and cost burdens in the table have been rounded to the nearest whole number.
8
�professionals retained by the registrant would cost an average cost of $400 per hour.10
These estimates represent the average burden for all respondents, both large and small.
In deriving our estimates, we recognize that the burdens will likely vary among individual
respondents based on a number of factors, including the nature of their business.
16.
INFORMATION COLLECTION PLANNED FOR STATISTICAL
PURPOSES
The information collections do not employ statistical methods.
17.
APPROVAL TO OMIT OMB EXPIRATION DATE
The Commission requests authorization to omit the expiration date on the electronic
version of these forms. Including the expiration date on the electronic version of the forms will
result in increased costs because the need to make changes to the forms may not follow the
application’s scheduled version release dates. The OMB control number will be displayed.
18.
EXCEPTIONS TO CERTIFICATION FOR PAPERWORK REDUCTION
ACT SUBMISSIONS
There are no exceptions to certification for the PRA submissions.
B.
STATISTICAL METHODS
The information collections do not employ statistical methods.
10
The Commission recognized that the costs of retaining outside professionals may vary depending on the nature of
the professional services, but for purposes of this PRA analysis, the Commission estimated that such costs would
be an average of $400 per hour. This estimate is based on consultations with several registrants, law firms and
other persons who regularly assist registrants in preparing and filing periodic reports with the Commission.
9
�Schedule 14C Short Statement
If adopted, the proposed amendments would require registrants to disclose information on
the cybersecurity expertise of members of the board of directors of the registrant, if any.
Schedule 14C, along with Schedule 14A, would be the primary disclosure documents for the
information provided in response to proposed Item 407(j) of Regulation S-K in connection with
proxy and information statements involving the election of directors. For purposes of the PRA,
the Commission estimates that, for Schedule 14C, the proposed amendments would result in an
increase of 256.50 burden hours and $34,200 for the services of outside professionals.
10
�Schedule 14A Short Statement
If adopted, the proposed amendments would require registrants to provide the same sort
of cybersecurity disclosure as in Schedule 14C i.e., requiring to disclose information on the
cybersecurity expertise of members of the board of directors of the registrant, if any. For
purposes of the PRA, the Commission estimates that, for Schedule 14A, the proposed
amendments would result in an increase of 2,925 burden hours and $390,000 for the services of
outside professionals.
11
�Form 8-K Short Statement
If adopted, the proposed amendments would require registrants to disclose information
about a cybersecurity incident within four business days after the registrant determines, that it
has experienced a material cybersecurity incident. The Commission estimates that the
amendments would result in an increase in the paperwork burden of affected entities. For
purposes of the PRA, the Commission estimates that, for Form 8-K, the proposed amendments
would result in an increase of 1,500 burden hours and $200,000 for the services of outside
professionals.
12
�Form 10-K Short Statement
If adopted, the proposed amendments would require additional disclosure of a registrant’s
policies and procedures, if any, for the identification and management of risks from
cybersecurity threats, a registrant’s cybersecurity governance, including the board of directors’
oversight role regarding cybersecurity risks, and management’s role and expertise in assessing
and managing cybersecurity risk and implementing the registrant’s cybersecurity policies,
procedures, and strategies, as well as disclosure regarding board member cybersecurity expertise,
if any. The Commission also proposed to require registrants to provide updated disclosure
relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent
known to management, when a series of previously undisclosed individually immaterial
cybersecurity incidents has become material in the aggregate.
The Commission estimates that the amendments would result in an increase in the
paperwork burden of affected entities. For purposes of the PRA, the Commission estimates that,
for Form 10-K, the proposed amendments would result in an increase of 99,432 burden hours
and $13,257,600 for the services of outside professionals.
13
�Form 10-Q Short Statement
If adopted, the proposed amendments would require registrants to provide updated
disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to
the extent known to management, when a series of previously undisclosed individually
immaterial cybersecurity incidents has become material in the aggregate. The Commission
estimates that the amendments would result in an increase in the paperwork burden of affected
entities. For purposes of the PRA, the Commission estimates that, for Form 10-Q, the proposed
amendments would result in an increase of 2,250 burden hours and $300,000 for the services of
outside professionals.
14
�Form 6-K Short Statement
If adopted, the proposed amendments would require the addition of “cybersecurity
incidents” as a reporting topic. The Commission estimates that the amendments would result in
an increase in the paperwork burden of affected entities. For purposes of the PRA, the
Commission estimates that, for Form 6-K, the proposed amendments would result in an increase
of 135 burden hours and $18,000 for the services of outside professionals.
15
�Form 20-F Short Statement
If adopted, the proposed amendments would require additional disclosure of a registrant’s
policies and procedures, if any, for the identification and management of risks from
cybersecurity threats, including whether the registrant considers cybersecurity as part of its
business strategy, financial planning, and capital allocation, disclosure about the board’s
oversight of cybersecurity risk and management’s role and expertise in assessing and managing
cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and
strategies, as well as disclosure regarding board member cybersecurity expertise, if any. The
Commission estimates that the amendments would result in an increase in the paperwork burden
of affected entities. For purposes of the PRA, the Commission estimates that, for Form 20-F, the
proposed amendments would result in an increase of 3007.125 burden hours and $3,608,550 for
the services of outside professionals.
16
�
| File Type | application/pdf |
| File Modified | 2025-01-29 |
| File Created | 2025-01-29 |