On May 21, 2024, Erik Gerding, Director of the Division of Corporation Finance at the Securities and Exchange Commission (SEC), provided important clarifications regarding the disclosure of cybersecurity incidents by public companies. This statement highlights the requirements and best practices for disclosing cybersecurity incidents under the new rules adopted on July 26, 2023.
The SEC's clarification aims to enhance transparency and clarity for investors by ensuring that disclosures of material cybersecurity incidents are accurate and meaningful, rather than adding unnecessary distraction to the information space. This approach is intended to allow investors to more easily distinguish between material and immaterial incidents, aiding in better investment and voting decisions.
Key Clarifications on Disclosure of Cybersecurity Incidents
1. Material Cybersecurity Incidents (Item 1.05 of Form 8-K)
Public companies are required to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. As stated by the SEC, "Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident."
The SEC emphasized that Item 1.05 is specifically for "Material Cybersecurity Incidents" and is triggered only when a company determines the incident to be material.
2. Immaterial Cybersecurity Incidents
Companies desiring to disclose cybersecurity incidents that have not yet been determined to be material or that have been determined as immaterial are encouraged to do so under a different Item of Form 8-K, such as Item 8.01. According to Director Gerding, this distinction will help to prevent investor confusion, as "it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05."
3. Subsequent Determinations and Amendments
If a company initially discloses an incident under Item 8.01 (or another 8-K Item) and later determines the incident to be material, it still must file an Item 1.05 Form 8-K within four business days of that determination. The new filing may reference the earlier disclosure, but the company will need to ensure compliance with the requirements of Item 1.05.
Reminder Regarding Comprehensive Materiality Assessment
As a reminder, when determining the materiality of a cybersecurity incident, companies should evaluate a broad spectrum of factors. In addition to a quantitative assessment of the impact on the financial condition and results of operations, the assessment should include qualitative aspects such as the impact on the company's reputation, customer or vendor relationships, competitiveness, and potential legal or regulatory consequences. The SEC's guidance advises that even if the full impact of an incident is not immediately clear, companies should provide investors with essential information about the incident's nature, scope, and timing in the initial disclosure under Item 1.05.
Conclusion
The SEC's May 21st statement serves as helpful guidance for publicly traded companies navigating their disclosure obligations for cybersecurity incidents. Compliance with SEC regulations is paramount to maintaining transparency and investor confidence.
Buchanan's Corporate team combines the legal expertise of our Securities and SEC practice with the technical acumen of our Cybersecurity and Data Privacy attorneys to deliver unparalleled counsel to our clients about their obligations under the SEC cybersecurity rule. From establishing and managing materiality review processes to assisting with materiality determinations and ensuring accurate reporting, Buchanan's experienced attorneys are here to support you every step of the way.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.