ARTICLE
3 June 2024

SEC Division Of Corporation Finance Clarifies Form 8-K Disclosures Of Material Cybersecurity Incidents

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
On May 21, 2024, the director of the SEC's Division of Corporation Finance, Erik Gerding, issued a statement regarding the new requirement to disclose material cybersecurity incidents on Form 8-K.
United States Technology

On May 21, 2024, the director of the SEC's Division of Corporation Finance, Erik Gerding, issued a statement regarding the new requirement to disclose material cybersecurity incidents on Form 8-K. The SEC's latest cybersecurity disclosure rules (discussed here) took effect for most companies on Dec. 18, 2023, and require public companies to disclose incidents that are "determined by the registrant to be material" under Item 1.05 of Form 8-K. In fact, Item 1.05 is titled "Material Cybersecurity Incidents" and the adopting release states Item 1.05 "is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident." Under Item 1.05, a materiality determination must be made by the company "without undue delay" and must be based on whether there is a substantial likelihood that a reasonable investor would consider the information important or whether it would have significantly altered the total mix of information available. Once a public company deems an incident "material," it must report the incident within four business days.

Since the new rules took effect approximately five months ago, many companies have chosen to voluntarily report cybersecurity incidents under Item 1.05 out of an abundance of caution, even where the company had not yet made a materiality determination or had determined the incident to be immaterial. While Gerding's statement recognizes the value of such voluntary disclosures, and the text of Item 1.05 does not expressly prohibit voluntary disclosures, the statement expressed concerns that reporting immaterial cybersecurity incidents under Item 1.05 may lead to investor confusion or dilute the value of Item 1.05.

Given the prevalence of both material and immaterial cybersecurity threats, which public companies face every day, Gerding encouraged companies to use Item 8.01 (Other Events) to voluntarily report cybersecurity incidents that have not been deemed material. This distinction "will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.... [I]f all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa."

Companies should carefully consider which item of Form 8-K to use when disclosing cybersecurity incidents. If the company has not yet made a materiality determination but chooses to voluntarily disclose a cybersecurity incident, it should do so under Item 8.01. If, however, the company learns additional information or later determines that the same incident is material, it should file another Form 8-K within four business days of that determination and report the incident under Item 1.05. Finally, for any material incidents, regardless of whether they were first reported under Item 1.05 or Item 8.01, the company should ensure that it discloses the impact of the incident in a manner that satisfies all the requirements of Item 1.05. This means companies may sometimes file an amendment on Form 8-K/A as they learn new details about a material incident after the four business day deadline.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More