Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · CFR · Title 17 — Commodity and Securities Exchanges · Part 229 — Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975—Regulation S-K · § 229.106

§ 229.106. (Item 106) Cybersecurity.

602 words·~3 min read·/us/cfr/t17/s§ 229.106·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

(a)Definitions. For purposes of this section: Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein. Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein. Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to maintain or support the registrant's operations.
(b)Risk management and strategy.
(1)Describe the registrant's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(i)Whether and how any such processes have been integrated into the registrant's overall risk management system or processes;
(ii)Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
(iii)Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
(2)Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
(c)Governance.
(1)Describe the board of directors' oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.
(2)Describe management's role in assessing and managing the registrant's material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(i)Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
(ii)The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
(iii)Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors. Instruction 1 to Item 106(c): In the case of a foreign private issuer with a two-tier board of directors, for purposes of paragraph
(c)of this section, the term "board of directors" means the supervisory or non-management board. In the case of a foreign private issuer meeting the requirements of § 240.10A-3(c)(3) of this chapter, for purposes of paragraph
(c)of this Item, the term "board of directors" means the issuer's board of auditors (or similar body) or statutory auditors, as applicable. Instruction 2 to Item 106(c): Relevant expertise of management in Item 106(c)(2)(i) may include, for example: Prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.
(d)Structured Data Requirement. Provide the information required by this Item in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. \[88 FR 51942, Aug. 4, 2023\]
Connections14 cite this
Citation graph
cites case law
§ 229.106
(Item 106) Cybersecurity.
Fed. Reg.×14
Cites 0Cited by 14 across 1 source
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.