17 C.F.R. § 229.106
(a) Definitions. For purposes of this section:
Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.
Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.
Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to maintain or support the registrant's operations.
(b) Risk management and strategy.
(1) Describe the registrant's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(c) Governance.
(2) Describe management's role in assessing and managing the registrant's material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(iii) Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Instruction 1 to Item 106(c): In the case of a foreign private issuer with a two-tier board of directors, for purposes of paragraph (c) of this section, the term “board of directors” means the supervisory or non-management board. In the case of a foreign private issuer meeting the requirements of § 240.10A-3(c)(3) of this chapter, for purposes of paragraph (c) of this Item, the term “board of directors” means the issuer's board of auditors (or similar body) or statutory auditors, as applicable.
Instruction 2 to Item 106(c): Relevant expertise of management in Item 106(c)(2)(i) may include, for example: Prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.
[88 FR 51942, Aug. 4, 2023]