The Director of the Division of Corporate Finance at the US Securities and Exchange Commission (SEC), Erik Gerding, issued a statement on May 21, 2024, addressing Disclosure of material cybersecurity incidents and other cybersecurity incidents. In it, Director Gerding addressed the recent requirement for public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and what he views as the "confusing" use of Item 1.05 by some companies to disclose information that is immaterial or that is not yet material.
SEC Requirement to Disclose Material Cybersecurity Incidents on Form 8-K
In July 2023, the SEC adopted cybersecurity disclosure and incident response rules applicable to public companies (Rules). Among other things, the Rules require public companies to disclose significant cybersecurity incidents under the newly created Item 1.05 of Form 8-K. The trigger for disclosure under Item 1.05 is if a cybersecurity incident is โdetermined by the registrant to be material.โ
Materiality has long been viewed from the perspective of a reasonable investor and whether the information at issue (in this case, a cybersecurity incident) has a substantial likelihood of materially altering the "total mix" of information available in relation to a investment decision. Basic Inc. v. Levinson485 US 224 (1988).
Once a company determines that a cybersecurity incident was (or is) significant, it must promptly disclose it within four business days. In his statement, Director Gerding noted that in addition to quantitative (i.e. financial) factors, companies must consider qualitative factors, including whether an incident will harm their reputation, customer or supplier relationships or competitiveness, as well as the possibility of litigation or regulations. investigations or actions, including regulatory actions by state and federal government authorities and non-U.S. authorities.
How Some Companies Disclose Cybersecurity Incidents on Form 8-K; Gerding's advice
At least 17 companies have disclosed cybersecurity incidents under Article 1.05 since the Rules came into effect on December 18, 2023. Among them, some have noted that the underlying incident did not have a material impact on the company at the time of disclosure. filing and that the company had not yet determined whether the incident was significant. Director Gerding appears to consider these to be voluntary disclosures. Certainly, some companies may choose to disclose an incident out of an abundance of caution due to the four-day Form 8-K filing requirement and potential concern that the SEC's Enforcement Division may unfavorably question management's real-time efforts to determine if and when a cybersecurity incident was material.
In the statement, director Gerding reported that:
- If a company decides to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporate Finance encourages the company to disclose that incident. cybersecurity under an item other than Form 8-K (for example, Item 8.01).
- Although the language of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require disclosure of a cybersecurity incident "that the registrant determines is material" and, in fact, the item is titled "Material Cybersecurity Incidents."
- Furthermore, in adopting Item 1.05, the Commission stated that "Item 1.05 is not a voluntary disclosure and, by definition, is material because it is not triggered until the company determines the materiality of an incident."
- Therefore, it could be confusing for investors if companies disclose immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.
In fact, this point applies to any Form 8-K item that requires disclosure for an event that meets a certain threshold (for cybersecurity incidents, the threshold is materiality). For events that fall below a mandatory threshold but which a company chooses to disclose, Article 8.01 has long been used as the element under which companies can, and regularly do, disclose so-called "Other Events"; that is, "events with respect to which information is not required in this form, which the registrant considers to be of importance to security holders." An example of this may be an agreement for an acquisition that does not rise to the level of being a "material agreement" under Item 1.01 of Form 8-K, but that a company wants the market to know about.
Key takeaways
Disclosure of a cybersecurity incident (especially one that is ongoing) can create significant risk, including highlighting the company's vulnerabilities to other malicious actors who may attempt to exploit and harm the company and, by extension, its shareholders and others. However, public companies must weigh those concerns against the risk of future SEC enforcement for failing to promptly disclose an incident. Although the SEC might have a difficult time charging a company for failing to disclose (or failing to disclose in a timely manner) a cybersecurity incident in which the company's records show that it performed a thorough and thoughtful materiality analysis, some companies may still be inclined to proactively disclose an incident (possibly to comply with Regulation FD or other collateral dissemination reasons, such as when making data breach notifications to customers or other interested parties). For Director Gerding and the Division of Corporate Finance, such proactive disclosures may be at the discretion of the company under Item 8.01, but preferably not under Item 1.05.
Public companies focused on understanding and complying with the Rules should continue to:
- ensure that appropriate personnel within the company (and on the board of directors) are trained, qualified and resourced to identify and address cybersecurity incidents and have access to members of management involved in making disclosure decisions.
- Establish and follow clear, consistent and reliable practices for rigorous and comprehensive materiality assessments of cybersecurity incidents that must involve subject matter experts and appropriate legal specialists within the company who are capable of analyzing the incident quantitatively and qualitatively.
- document materiality assessment processes with guidance from legal and internal compliance departments.
- if a cybersecurity incident is considered material, ensure timely and complete disclosure in accordance with Item 1.05; If the company has not yet determined that an incident is material, carefully evaluate the risks and opportunities for disclosure under Item 8.01.
- Please note that disclosure of a cybersecurity incident under Item 8.01 does not eliminate an Item 1.05 disclosure at a later date; In other words, if a company disclosed a cybersecurity incident under Item 8.01 and later determined that the incident was material, the company must still disclose the cybersecurity incident under Item 1.05 within four business days of the determination. that the incident is material.
Director Gerding's statement, made in his official agency capacity, is not itself a rule, regulation or statement of the SEC.
Holland and the Knight Second Opinion Blog will follow this evolution closely. For more about the history of the Rules, incident response considerations and other SEC regulatory and enforcement topics of interest, please contact the authors or another member of Holland & Knight's Securities Application Defense Team.
