Checklist: How to Comply With the New SEC Cybersecurity Disclosure Requirements

☐ Disclose Material Cybersecurity Incidents

Source: New Item 1.05 of Form 8-K and new Item 106 of Regulation S-K.

Requirements: Within four (4) business days of determining a cybersecurity incident (as defined by Item 106(a)) is material, describe:

• the nature, scope, and timing of the incident.
• the impact or reasonably likely impact on the registrant, including its financial condition and results of operations.
• If any of the above information cannot be determined or is not available at the time of the filing, a statement to that effect.

Note: Materiality determinations must be made without unreasonable delay after discovery of the incident per Instruction 1 to Item 1.05.

Disclosures must be tagged in Inline XBRL beginning one year after

☐Disclose Information that was Originally Unavailable

Source: New Item 1.05 of Form 8-K.

Requirements: If information was omitted from the original Form 8-K filing, within four (4) business days after such information is determined or becomes available:

• File an amendment to the original Form 8-K filing under Item 1.05 containing such information.

Note: An amendment should also be filed to rectify any prior disclosure that is found to have been untrue (or omitted information that made the disclosure misleading) at the time it was made.

Disclosures must be tagged in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

☐ Disclose Cybersecurity Risk Management and Strategy

Source: New Item 106(b)(1) of Regulation S-K.

Requirements: Disclose processes, if any, for assessment, identification and management of material risks from cybersecurity threats (as defined by Item 106(a)), including, as applicable, whether the registrant (and descriptions if so):

• Has integrated such processes into its overall risk management system or process.
• Engages assessors, consultants, auditors, or other third parties in connection with such processes.
• Has processes for overseeing and identifying cybersecurity threats associated with its use of third-party service providers.

Note: The disclosure is not expected to provide a level of detail that could increase a company’s vulnerability to cyberattack. Instead, it should enable investors to assess a registrant’s cybersecurity practices, including the existence of a risk assessment program, with enough information to understand the registrant’s cybersecurity risk profile.

Disclosures must be tagged in Inline XBRL beginning one year after

Form 10-K, Part I, Item 1.C. Cybersecurity.

☐ Disclose Identified Risks

Source: New Item 106(b)(2) of Regulation S-K.

Requirements: Describe whether any cybersecurity risks have, or are likely to, materially affect the company, including its business strategy, results of operations, or financial condition, and if so, explain how.

Note: Ensure consistency between any such disclosures and the corresponding risk factor disclosures. Alternatively, if the corresponding risk factor disclosures address these requirements, consider incorporating them by reference.

Disclosures must be tagged in Inline XBRL beginning one year after

Form 10-K, Part I, Item 1.C. Cybersecurity.

☐ Disclose Board Oversight of Cybersecurity Risks

Source: New Item 106(c)(1) of Regulation S-K.

Requirements: Disclose the board’s oversight of cybersecurity risk, including, as applicable:

• Any board committee or subcommittee that oversees cybersecurity related risks.
• The processes by which the board or such committee is informed of these risks.

Disclosures must be tagged in Inline XBRL beginning one year after

Form 10-K, Part I, Item 1.C. Cybersecurity.

☐ Disclose Management’s Role in Managing Material Cybersecurity Risks

Source: New Item 106(c)(2) of Regulation S-K.

Requirements: Disclose management’s role in assessing and managing material cybersecurity risks, including, as applicable:

• Whether and which positions or committees are responsible for assessing and managing cybersecurity risk.
• A full description of the relevant expertise of such persons.
• The processes by which such persons or committees are informed of and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
• Whether such persons or committees report information about such risks to the board or a committee of the board.

Note: Relevant expertise may include prior work experience; any relevant degree or certification; and any knowledge, skills or other background.

Disclosures must be tagged in Inline XBRL beginning one year after

Form 10-K, Part I, Item 1.C. Cybersecurity.

☐ Furnish Information on Material Cybersecurity Incidents

Source: Amended General Instruction B of Form 6-K.

Requirements: Furnish information to the SEC regarding material cybersecurity incidents pursuant to the usual Form 6-K procedures.

Disclosures must be tagged in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

☐ Disclose Cybersecurity Risk Management and Strategy

☐ Disclose Identified Risks

☐ Disclose Board Oversight of Cybersecurity Risks

☐ Disclose Management’s Role in Managing Material Cybersecurity Risks

Source: New Item 16K of Form 20-F.

Requirements: For a summary of requirements, refer to the respective disclosure section for domestic public companies above. These disclosure requirements apply only to annual reports, and not to registration statements on Form 20-F.

Note: Board of directors means a supervisory or non-management board, board of auditors, or statutory auditors, as applicable.

Disclosures must be tagged in Inline XBRL beginning one year after