Download:
pdf |
pdfNote: The following appendix will not appear in the Code of Federal Regulations.
Form SCIR
Significant Cybersecurity Incidents and Risks
OMB Approval
OMB Number:
[●]
Expires:
[●]
Estimated average burden hours per
response:
[●]
per amendment:
[●]
489
�FORM SCIR INSTRUCTIONS
A. GENERAL INSTRUCTIONS
1. FORM – Part I of Form SCIR must be used by a covered entity to confidentially report a
cybersecurity incident pursuant to the requirements of 17 CFR 242.10. Part II of Form SCIR
must be used to publicly disclose cybersecurity risks and significant cybersecurity incidents
pursuant to the requirements of 17 CFR 242.10.
2. ELECTRONIC FILING - A covered entity must file Parts I and II of Form SCIR through the
EDGAR system, and must utilize the EDGAR Filer Manual (as defined in 17 CFR 232.11) to file
Parts I and II of Form SCIR electronically to assure the timely acceptance and processing of the
filing. Refer to 17 CFR 242.10 for other requirements with respect to filing Part I of Form SCIR
with other regulators and for other requirements with respect to publicly disclosing Part II of Form
SCIR.
3. FEDERAL INFORMATION LAW AND REQUIREMENTS - An agency may not conduct or
sponsor, and a person is not required to respond to, a collection of information unless it displays
a currently valid control number. Sections 15F, 17(a), 17A, and 23(a) of the Exchange Act
authorize the U.S. Securities and Exchange Commission (“Commission”) to collect the
information on Form SCIR from covered entities. See 15 U.S.C. §§78o-10, 78q and 78w. Filing
of Parts I and II Form SCIR is mandatory. The principal purpose of Part I of Form SCIR is to
report information about a significant cybersecurity incident impacting a covered entity so the
Commission can respond to the incident, evaluate the operating status of the covered entity, and
assess the impact the significant cybersecurity incident may have on other participants in the U.S.
securities markets. The principal purpose of Part II of Form SCIR is to publicly disclose summary
descriptions of the cybersecurity risks of the covered entity and summary descriptions of each
significant cybersecurity incident that covered entity has experienced in the current or previous
calendar year (if applicable). Any member of the public may direct to the Commission any
comments concerning the accuracy of the burden estimate on this form, and any suggestions for
reducing this burden. This collection of information has been reviewed by the Office of
Management and Budget in accordance with the clearance requirements of 44 U.S.C. §3507.
The information contained in this form is part of a system of records subject to the Privacy Act of
1974, as amended. The Commission has published in the Federal Register the Privacy Act
Systems of Records Notice for these records.
4. FORMAT
a. All Items must be answered and all fields requiring a response must be completed before the
filing will be accepted.
b. A covered entity must complete the execution screen certifying that Form SCIR has been
executed properly and that the information contained in the form is accurate and complete
before the filing will be accepted.
c.
A paper copy, with original signatures, of Part I and Part II of Form SCIR must be retained by
the covered entity and be made available for inspection upon a regulatory request.
5. EXPLANATION OF TERMS
a. COVERED ENTITY – The term “covered entity” has the same meaning as that term is
defined in 17 CFR 242.10 and, as used in Form SCIR, also refers to the person filing the
Form.
b. CYBERSECURITY INCIDENT – The term “cybersecurity incident” has the same meaning as
that term is defined in 17 CFR 242.10.
c.
CYBERSECURITY RISK – The term “cybersecurity risk” has the same meaning as that term
is defined in 17 CFR 242.10.
d. INTERNAL INVESTIGATION – The term “internal investigation” means a formal investigation
of the significant cybersecurity incident by internal personnel of the covered entity or external
personnel hired by the covered entity that seeks to determine any of the following: the cause
490
�of the significant cybersecurity incident; whether there was a failure to adhere to the covered
entity’s policies and procedures to address cybersecurity risk; or whether the covered entity’s
policies and procedures to address cybersecurity risk are effective.
e. PERSONAL INFORMATION – The term “personal information” has the same meaning as
that term is defined in 17 CFR 242.10].
SIGNIFICANT CYBERSECURITY INCIDENT – The term “significant cybersecurity incident”
has the same meaning as that term is defined in 17 CFR 242.10.
f.
g. UNIQUE IDENTIFICATION CODE – The term “unique identification code” means a unique
identification code assigned to a person by an internationally recognized standards-setting
system that is recognized by the Commission pursuant to Rule 903(a) of Regulation SBSR
(17 CFR 242.903(a)).
B. INSTRUCTIONS TO PART I OF FORM SCIR
1. INITIAL REPORT - Pursuant to the requirements of 17 CFR 242.10, a covered entity must file an
initial report on Part I of Form SCIR with respect to a significant cybersecurity incident upon
having a reasonable basis to conclude that the incident has occurred or is occurring.
2. AMENDED REPORT - Pursuant to the requirements of 17 CFR 242.10, a covered entity must file
an amended report on Part I of Form SCIR with respect to a significant cybersecurity incident
after each of the following circumstances:
Any information on a previously filed Part I of Form SCIR pertaining to the significant
cybersecurity incident becomes materially inaccurate;
Any new material information pertaining to a significant cybersecurity incident previously
reported to the Commission on Part I of Form SCIR being discovered;
A significant cybersecurity incident is resolved; or
An internal investigation pertaining to a significant cybersecurity incident is closed.
3. FINAL REPORT - A covered entity filing a final report on Part I of Form SCIR must indicate on
the final notification if: (i) the Part I of Form SCIR is being filed because the significant
cybersecurity incident has been resolved and either no internal investigation pertaining the
significant cybersecurity incident is being or will be conducted or an internal investigation
pertaining to the significant cybersecurity incident has been closed prior to the resolution of the
incident; or (ii) the Part I of Form SCIR is being filed to report that an internal investigation
pertaining to the significant cybersecurity incident has been closed and the significant
cybersecurity incident is resolved. If a covered entity files a final report on Part I of Form SCIR
with respect to a significant cybersecurity incident, and, thereafter, conducts an internal
investigation pertaining to the significant cybersecurity incident, it must file another final report on
Part I of Form SCIR when the investigation is closed pursuant to the requirements of 17 CFR
242.10.
4. CONTACT EMPLOYEE - The individual listed as the contact employee must be authorized by
the covered entity to provide the Commission with information about the significant cybersecurity
incident, and make information about the significant cybersecurity incident available to the
Commission.
5. LINE ITEMS
a. Line 2 – Provide the date the covered entity had a reasonable basis to conclude that the
significant cybersecurity incident had occurred or was occurring. This can be based on, for
example, reviewing or receiving a record, alert, log, or notice about the incident.
b. Line 3.C. – Provide the approximate date that the Covered Entity was no longer undergoing
a significant cybersecurity incident.
491
�C. INSTRUCTIONS TO PART II OF FORM SCIR
1. PUBLIC DISSEMINATION – Part II of Form SCIR will be publicly disseminated upon filing it with
the Commission.
2. DISCLOSURE UPDATES - Pursuant to the requirements of 17 CFR 242.10, a covered entity
must promptly provide an updated disclosure through the methods required by 17 CFR 242.10 if
the information required to be disclosed pursuant to 17 CFR 242.10 materially changes, including
after the occurrence of a new significant cybersecurity incident or when information about a
previously disclosed significant cybersecurity incident materially changes.
The mailing address for questions and correspondence is:
The Securities and Exchange Commission
Washington, DC 20549
492
�493
�494
�495
�496
�497
�498
�
| File Type | application/pdf |
| File Modified | 2023-04-11 |
| File Created | 2023-04-11 |