Download:
pdf |
pdfSUPPORTING STATEMENT FOR FINAL RULES RELATING TO CYBERSECURITY
RISK MANAGEMENT, STRATEGY, GOVERNANCE, AND INCIDENT DISCLOSURE
This supporting statement is part of a submission under the Paperwork Reduction Act of
1995 (“PRA”).1
A.
JUSTIFICATION
1.
CIRCUMSTANCES MAKING THE COLLECTION OF INFORMATION
NECESSARY
On July 26, 2023, the Securities and Exchange Commission (“Commission”) adopted
rules and rule amendments to enhance and standardize disclosures regarding cybersecurity risk
management, strategy, governance, and incidents by public companies that are subject to the
reporting requirements of the Securities Exchange Act of 1934 (“Exchange Act”).2 Specifically,
the final rules require current disclosure about material cybersecurity incidents on Form 8-K, and
likewise add “material cybersecurity incident” as a trigger for disclosure on Form 6-K. The rules
also require disclosures in annual reports on Form 10-K or Form 20-F about a registrant’s
processes to assess, identify, and manage material cybersecurity risks, management’s role in
assessing and managing material cybersecurity risks, and the board of directors’ oversight of
cybersecurity risks. Further, the rules require cybersecurity disclosures to be presented in Inline
eXtensible Business Reporting Language (“Inline XBRL”).
The final rules contain “collection of information” requirements within the meaning of
the PRA. The titles for the collection of information are:
•
•
•
•
2.
Form 8-K (OMB Control No. 3235-0060);
Form 6-K (OMB Control No. 3235-0116);
Form 10-K (OMB Control No. 3235-0063); and
Form 20-F (OMB Control No. 3235-0288).
PURPOSE AND USE OF THE INFORMATION COLLECTION
The final rules are intended to better inform investors about a registrant’s cybersecurity
risk management, strategy, and governance and to provide timely disclosure of material
cybersecurity incidents.
1
44 U.S.C. §3501, et seq.
2
See Release No. 33-11216 (July 26, 2023) (“final rules”).
1
3.
CONSIDERATION GIVEN TO INFORMATION TECHNOLOGY
The forms that are affected by the final rules are filed electronically with the Commission
using the Commission’s Electronic Data Gathering and Retrieval (“EDGAR”) system.
The final rules require registrants to tag the information specified by Item 1.05 of Form
8-K and Items 106 of Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation
S-T (17 CFR 232.405) and the EDGAR Filer Manual.3 The requirements include block text
tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed
within the narrative disclosures. Inline XBRL is both machine-readable and human-readable,
which improves the quality and usability of XBRL data for investors.4 Requiring Inline XBRL
tagging of the disclosures provided pursuant to these disclosure items will benefit investors by
making the disclosures more readily available and easily accessible to investors, market
participants, and others for aggregation, comparison, filtering, and other analysis, as compared to
requiring a non-machine readable data language such as ASCII or HTML.
4.
DUPLICATION OF INFORMATION
Business development companies (“BDCs”) that are subject to the final rules may also
become subject to the proposed rule amendments in the Division of Investment Management’s
cybersecurity proposing release, if and when those rules are finalized.5 To the extent that BDCs
would need to provide substantively the same or similar disclosure on both Form 8-K and in
registration statements, the compliance costs could be duplicative. However, the potential
duplication should not result in a significant increase in compliance costs, because BDCs should
be able to provide similar disclosure for both sets of rules.
The Commission also recognized the possibility that the final rules may conflict with the
disclosure timeline set forth in 47 CFR 64.2011, a Federal Communications Commission rule
regarding the disclosures that certain telecommunications carriers must make when they
experience certain customer data breaches. Accordingly, the Commission adopted a narrow
3
This tagging requirement is codified through cross-references to Rule 405 of Regulation S-T in Item 1.05 of Form
8-K, Item 106 of Regulation S-K, and Item 16K of Form 20-F, and by revising Rule 405(b) of Regulation S-T to
include the listed disclosure Items. In conjunction with the EDGAR Filer Manual, Regulation S-T governs the
electronic submission of documents filed with the Commission. Rule 405 of Regulation S-T specifically governs
the scope and manner of disclosure tagging requirements for operating companies and investment companies,
including the requirement in Rule 405(a)(3) to use Inline XBRL as the specific structured data language for
tagging the disclosures.
4
See Inline XBRL Filing of Tagged Data, Securities Act, Release No. 10514 (June 28, 2018) [83 FR 40846
(Aug. 16, 2018)]. Inline XBRL allows filers to embed XBRL data directly into an HTML document, eliminating
the need to tag a copy of the information in a separate XBRL exhibit. Inline XBRL is both human-readable and
machine-readable for purposes of validation, aggregation, and analysis. Id. at 40851.
5
See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business
Development Companies, Release No. 33-11028 (Feb. 9, 2022) [87 FR 13524 (Mar. 9, 2022)]. See also
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business
Development Companies; Reopening of Comment Period, Release No. 33-11167 (Mar. 15, 2023) [88 FR 16921
(Mar. 21, 2023)].
2
exception that allows a registrant that is subject to 47 CFR 64.2011 to delay providing the
required Form 8-K disclosure for such period that is applicable 47 CFR 64.2011(b)(1), so long as
the registrant notifies the Commission no later than the date when the Form 8-K disclosure was
otherwise required to be provided.
We are not aware of any other rules that conflict with or substantially duplicate the final
rules.
5.
REDUCING THE BURDEN ON SMALL ENTITIES
The final rules will affect some companies that are small entities that are subject to the
reporting requirements of the Exchange Act. The Commission performed a Final Regulatory
Flexibility Act Analysis (“FRFA”). As part of the FRFA, the Commission estimated that as of
December 31, 2022, there were approximately 800 issuers and 10 BDCs that may be considered
small entities that would be subject to the final rules.
The Commission considered a variety of alternatives to achieve the purpose of the final
rules of providing material information regarding a registrant’s existing cybersecurity strategy,
risk management, and governance, as well as information regarding material cybersecurity
incidents. The Commission did not adopt additional alternative approaches in this rulemaking
because it does not believe it would be appropriate to establish alternative compliance requirements
or exempt small entities from the scope of the rules, given that the disclosure requirements are
intended to promote consistent disclosure among issuers. The Commission also noted the significant
cybersecurity risks smaller reporting companies face and the outsized impacts that cybersecurity
incidents may have on their businesses and believes that investors need access to timely
disclosure on material cybersecurity incidents and the material aspects of registrants’
cybersecurity risk management and governance. The Commission did note that smaller
reporting companies would likely benefit from additional time to comply with the incident
disclosure requirements. Accordingly, the final rules provide smaller reporting companies an
additional 180 days from the non-smaller reporting company compliance date before they must
begin complying with Item 1.05 of Form 8-K.
6.
CONSEQUENCES OF NOT CONDUCTING COLLECTION
The forms were adopted under the Exchange Act and set forth the disclosure
requirements for current reports, periodic reports, and proxy and information statements filed by
registrants to help investors make informed investment and voting decisions. Less frequent
collection would deprive investors of access to information that is important to these decisions.
7.
SPECIAL CIRCUMSTANCES
There are no special circumstances in connection with the final rules.
3
8.
CONSULTATIONS WITH PERSONS OUTSIDE THE AGENCY
In March 2022, the Commission issued a proposing release Cybersecurity Risk
Management, Strategy, Governance, and Incident Disclosure,6 which solicited comment on the
proposal and the “collection of information” requirements and associated paperwork burdens of
the proposed amendments. Comments on the Commission’s releases are generally received from
registrants, investors, and other market participants. In addition, the Commission and staff
participate in an ongoing dialogue with representatives of various market participants through
public conferences, meetings, and informal exchanges. The Commission considers all comments
received. Additionally, as noted in the adopting release, members of the Commission staff
consulted with the Federal Communications Commission (FCC) and the United States
Department of Justice (DOJ) among other federal agencies, commentators, and market
participants.
9.
PAYMENT OR GIFT TO RESPONDENTS
No payment or gift has been provided to any respondents.
10.
CONFIDENTIALITY
All of the affected information collections filed with the Commission are available to the
public.
11.
SENSITIVE QUESTIONS
No information of a sensitive nature would be required in connection with the final rules.
These information collections collect basic Personally Identifiable Information (PII) that may
include a name and job title. However, the agency has determined that the information
collections do not constitute a system of record for purposes of the Privacy Act. Information is
not retrieved by a personal identifier. In accordance with Section 208 of the E-Government Act
of 2002, the agency has conducted a Privacy Impact Assessment (“PIA”) of the EDGAR system,
in connection with the affected collections of information. The EDGAR PIA, published on
March 6, 2025, is provided as a supplemental document and is also available at
https://www.sec.gov/privacy.
12. and 13.
ESTIMATES OF HOUR AND COST BURDENS
We anticipate that new disclosure and submission requirements will increase the burdens
and costs for affected registrants. We derived the burden hour and cost estimates by estimating
the average amount of time it would take a registrant to prepare and review the required
disclosure and submission, as well as the average hourly rate for outside professionals who assist
with such preparation. All of these burden estimates incorporate the tagging requirements in
Rule 405 of Regulation S-T.
6
See Release No. 33-11038 (Mar. 9,2022) [87 FR 16590 (Mar. 23, 2022)].
4
Table 1 summarizes the estimated changes in burden attributable to the final rules for the
affected forms and schedules:
Table 1: Estimated Paperwork Burden Associated with the Final Rules
Final Amendments and Effects
Form 8-K
• Add Item 1.05 requiring disclosure of
material cybersecurity incidents within
four business days following
determination of materiality.
Form 6-K
• Add “cybersecurity incident” to the list
in General Instruction B of information
required to be furnished on Form 6-K.
Regulation S-K Item 106
• Add Item 106(b) requiring disclosure
regarding cybersecurity risk
management and strategy.
• Add Item 106(c) requiring disclosure
regarding cybersecurity governance.
Affected
Forms
Estimated Burden Increase
Number of Estimated
Affected Responses*
Form 8-K
9 hour increase in compliance
burden per form
200 Filings
Form 6-K
9 hour increase in compliance
burden per form
20 Filings
Form 10-K and
Form 10-K: 10 hour increase in
compliance burden per form
8,292 Filings
Form 20-F
Form 20-F: 10 hour increase in
compliance burden per form
729 Filings
The burden estimates include the time and cost of preparing the disclosure, as well as
tagging the data in XBRL.
The estimated number of affected responses for Form 8-K and Form 6-K reflect that not
every filing of these forms would include responsive disclosures. Rather, these disclosures
would be required only when a registrant has made the determination that it has experienced a
material cybersecurity incident. Further, in the case of Form 6-K, the registrant would only have
to provide the disclosure if it is required to disclose such information elsewhere.
Table 2 below sets forth our estimates of the number of current filings on the forms
which will be affected by the final rules. We used this data to extrapolate the effect of these
changes on the paperwork burden for the listed periodic reports.7
7
The OMB PRA filing inventories represent a three-year average. Averages may not align with the actual number
of filings in any given year.
5
Table 2: Estimated Paperwork Burden of Cybersecurity Disclosure
Form
Current Annual
Responses in PRA
Inventory
8-K
70,560
Estimated Number of
Filings that Would
Include Cybersecurity
Disclosure
200
6-K
34,794
20
10-K
8,292
8,292
20-F
729
729
Table 3 on the next page summarizes the current paperwork burden to prepare and review
the current required disclosure and submissions, including the current annual responses, current
burden hours, and current cost burdens. This information is then compared to the changes in
those respective burdens under the final rules and the overall cost and burden of such
implementation of the final rules.
6
Table 3. Requested Paperwork Burden under the Final Rules
Current Burden
Form
Current
Annual
Responses
(A)
Current
Burden
Hours
(B)
Current Cost
Burden
(C)
Program Change
Revised Burden
Change in
Number
of
Affected
Responses
(D)
Change
in
Company
Hours
(E)
Change in
Professional
Costs
(F)
Annual
Responses
(G) =
(A)+(D)
Burden
Hours
(H) =
(B) + (E)
Cost Burden
(I) =
(C) + (F)
Form 8-K
70,560
445,300
$59,373,418
200
1,350
$270,000
70,760
446,650
$59,643,418
Form 6-K
34,794
227,031
$30,270,780
20
135
$27,000
34,814
227,166
$30,297,780
Form 10-K
Form 20-F
8,292
729
13,988,811
479,667
$1,835,594,519
$576,970,825
---
62,190
1,823
$12,438,000
$3,280,500
8,292
729
14,051,001
481,490
$1,848,032,519
$580,251,325
7
14.
COSTS TO FEDERAL GOVERNMENT
The annual cost of reviewing and processing disclosure documents, including registration
statements, post-effective amendments, proxy statements, annual reports, and other filings of
operating companies amounted to $131,724,880 in fiscal year 2023, based on the Commission’s
computation of the value of staff time devoted to this activity and related overhead.
15.
REASON FOR CHANGE IN BURDEN
As explained in further detail in Items 1, 12, and 13 above, changes in burden for Form 8K, Form 6-K, Form 10-K, and Form 20-F will result from the final rules.
Table 4 below shows the total estimated annual compliance burden, in hours and in costs
that will result from the final rules.8 The burden estimates were calculated by multiplying the
estimated number of responses by the estimated average amount of time it would take a
registrant to prepare and review the required information.
Table 4. Calculation of the Incremental Change in Burden Estimates of Current
Responses Resulting from the Final Rules
8
Collection of
Information
Number of
Estimated
Affected
Responses
(A)
Burden Hour
Increase per
Response
(B)
Change in
Burden
Hours
(C)
= (A) x (B)
Change in
Professional
Hours
(E)
= (C) x 0.25 or
.75
450
Change in
Professional
Costs
(F)
= (E) x $600
1,800
Change in
Company
Hours
(D)
= (C) x 0.75
or .25
1,350
8-K
200
9
6-K
20
9
180
135
45
$27,000
10-K
8,292
10
82,920
62,190
20,730
$12,438,000
20-F
729
10
7,290
1,822.50
5,467.50
$3,280,500
$270,000
The table’s estimated number of responses aggregates the responses for both the disclosure requirement and the
submission requirement. Some registrants will be counted twice, once for each response. For convenience, the
estimated hour and cost burdens in the table have been rounded to the nearest whole number.
8
The portion of the burden carried by outside professionals is reflected as a cost, while the
portion of the burden carried by the registrant internally is reflected in hours. For purposes of the
PRA, the Commission estimates that 75 percent of the burden of preparation of Form 8-K, Form
6-K, and Form 10-K would be carried by the registrant internally and that 25 percent of the
burden of preparation would be carried by outside professionals. By contrast, the Commission
estimates that estimates that 75 percent of the burden of preparation of Form 20-F would be
allocated to outside professionals and 25 percent of the preparation burden would be allocated
internally. In all cases, we estimate that the outside professionals retained by the registrant
would cost an average cost of $600 per hour.9
These estimates represent the average burden for all respondents, both large and small.
In deriving our estimates, we recognize that the burdens will likely vary among individual
respondents based on a number of factors, including the nature of their business.
16.
INFORMATION COLLECTION PLANNED FOR STATISTICAL
PURPOSES
The information collections do not employ statistical methods.
17.
APPROVAL TO OMIT OMB EXPIRATION DATE
We request authorization to omit the expiration date on the electronic version of these
forms. Including the expiration date on the electronic version of the forms will result in
increased costs because the need to make changes to the forms may not follow the application’s
scheduled version release dates. The OMB control number will be displayed.
18.
EXCEPTIONS TO CERTIFICATION FOR PAPERWORK REDUCTION
ACT SUBMISSIONS
There are no exceptions to certification for the PRA submissions.
B.
STATISTICAL METHODS
The information collections do not employ statistical methods.
9
The Commission recognized that the costs of retaining outside professionals may vary depending on the nature of
the professional services, but for purposes of this PRA analysis, the Commission estimated that such costs would
be an average of $600 per hour. This estimate is based on consultations with several registrants, law firms and
other persons who regularly assist registrants in preparing and filing periodic reports with the Commission.
9
Form 8-K Short Statement
The final rules require registrants to disclose information about a cybersecurity incident
within four business days after the registrant determines that a cybersecurity incident it has
experienced is material. The Commission estimates that the final rules will result in an increase
in the paperwork burden of affected entities. For purposes of the PRA, the Commission
estimates that for Form 8-K the final rules will result in an increase of 1,350 burden hours and
$270,000 for the services of outside professionals.
10
Form 6-K Short Statement
The final rules require the addition of “material cybersecurity incident” as a reporting
topic. The Commission estimates that the amendments will result in an increase in the
paperwork burden of affected entities. For purposes of the PRA, the Commission estimates that
for Form 6-K the final rules will result in an increase of 135 burden hours and $27,000 for the
services of outside professionals.
11
Form 10-K Short Statement
The final rules require annual disclosure of a registrant’s processes, if any, for assessing,
identifying, and managing material risks from cybersecurity threats, as well as description of
whether any risks from cybersecurity threats, including as a result of previous cybersecurity
incidents, have materially affected or are reasonably likely to materially affect the registrant.
The final rules also require a description of the board of directors’ oversight of risks from
cybersecurity threats, and a description of management’s role in assessing and managing the
registrant’s material risks from cybersecurity threats.
The Commission estimates that the final rules will result in an increase in the paperwork
burden of affected entities. For purposes of the PRA, the Commission estimates that for Form
10-K the final rules will result in an increase of 62,190 burden hours and $12,438,000 for the
services of outside professionals.
12
Form 20-F Short Statement
The final rules require annual disclosure of a foreign private issuer’s processes, if any, for
assessing, identifying, and managing material risks from cybersecurity threats, as well as
description of whether any risks from cybersecurity threats, including as a result of previous
cybersecurity incidents, have materially affected or are reasonably likely to materially affect the
registrant. The final rules also require a description of the board of directors’ oversight of risks
from cybersecurity threats, and a description of management’s role in assessing and managing
the registrant’s material risks from cybersecurity threats.
For purposes of the PRA, the Commission estimates that, for Form 20-F, the final rules
will result in an increase of 1,823 burden hours and $3,280,500 for the services of outside
professionals.
13
File Type | application/pdf |
File Title | SUPPORTING STATEMENT FOR “FORM 8-K” |
Author | alemane |
File Modified | 2025:07:29 10:39:17-04:00 |
File Created | 2025:07:29 10:39:17-04:00 |