TheCorporateCounsel.net

October 10, 2024

Cybersecurity: Staff Comments on Form 10-K Disclosures

In addition to comments from the Corp Fin Staff on cyber-related Form 8-K disclosures that Dave & Meredith previously shared, we’re beginning to see comment letters that the Staff has issued on Form 10-K cybersecurity disclosures. These disclosures were first required this year under Item 106 of Regulation S-K. Here’s a sampling of early comments (some of which I’ve paraphrased):

– We note that leaders from your information security, compliance and legal team oversee cybersecurity risk management. Please revise future filings to provide the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise as required by Item 106(c)(2)(i) of Regulation S-K.

– We note statements that you have not currently engaged any third-party service providers to support, manage, or supplement your cybersecurity processes, and that your Audit Committee receives updates from and discusses matters with your third-party IT support specialists. These statements appear inconsistent. Please revise future filings to clarify whether you engage assessors, consultants, auditors or other third parties in connection with your processes for assessing, identifying and managing material risks from cybersecurity threats as required by Item 106(b)(1)(ii) of Regulation S-K.

– We note you do not include Item 1C. Cybersecurity. Please revise or advise us why you do not provide disclosures as applicable under Item 106 of Regulation S-K.

Although comment letters are company-specific, these are the types of comments we’d expect to see out of the Disclosure Review Program as the Staff assesses “Year 1” compliance for this rule. The Corp Fin Staff isn’t looking to “play gotcha.” But if your disclosure has inconsistencies, or if you forgot to include Item 1C – or a specific element – you might be asked to correct that.

Liz Dunshee