On May 21, 2024, Corp Fin Director Erik Gerding released a statement to clarify whether to use Form 8-K Item 1.05 or Form 8-K Item 8.01 when reporting cybersecurity incidents. It appears that some reporters are misreporting, or at least suboptimally, which could lead to investor confusion. Mr. Gerding's statement aims to set us straight. He also offers a bit of advice on determining materiality regarding cybersecurity incidents.
In 2023, the SEC adopted new rules for cybersecurity disclosures. (See this PubCo post.) Under the final rules, if a public company experiences a cybersecurity incident that it determines to be material, the company will be required to file Form 8-K under new Item 1.05, which describes “material aspects of the nature, scope and timing of the incident, and its material or reasonably possible material effect on the registrant, including its financial condition and results of operations.” However, the Guarding statement emphasizes that Item 1.05 is intended to be used to report cybersecurity incidents that “the registrant determines to be material.” Moreover, in adopting Item 1.05, the SEC clarified that “Item 1.05 is not a voluntary disclosure and is by definition material because it is not triggered until the company determines the materiality of the incident.”
Companies can certainly make voluntary declarations, but there is room for that, he suggests. If a company “elects to disclose a cybersecurity incident that it has not yet determined is material, or that it deems to be immaterial,” Corpfin recommends that “the cybersecurity incident be disclosed in a separate line.” “encourage companies to do so'' on Form 8-K (e.g., Item 8.01). ” Mr. Gerding acknowledges that the language in Section 1.05 does not explicitly prohibit voluntary declarations, but notes that “immaterial cybersecurity incidents and “If a company discloses an incident whose materiality has not yet been determined, it may confuse investors.” “This clarification is intended to prevent companies from voluntarily disclosing cybersecurity incidents that they have not yet determined to be material, or from disclosing incidents that they have determined are not material,” Gerding said. “It's not something I did,” he emphasizes. Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not cause investor confusion or dilute the value of disclosures in Section 1.05 regarding material cybersecurity incidents. Masu. ”
Distinguishing between the two types of filings would enable investors to more easily distinguish between material and immaterial events and “make better investment and voting decisions with respect to material cybersecurity incidents.” In contrast, if all cybersecurity incidents were disclosed under Item 1.05, there would be a risk that investors would misperceive immaterial cybersecurity incidents as material, and vice versa.
Of course, filing under Item 8.01 could mean that a company will eventually have to file a second Form 8-K. If a company discloses an immaterial incident (or an incident that is not yet material) under Item 8.01 of its Form 8-K and then determines that it is material, the company will be required to file Item 1.05 of its Form 8-K within four business days for a materiality determination. (Gerding points out that companies that voluntarily disclose under Item 8.01 “are still required to subsequently determine, without undue delay, whether the incident was material under Item 1.05 of their Form 8-K.”) Gerding advises that Item 1.05 “requires that, although a Form 8-K “may reference a prior Item 8.01 Form 8-K, companies should ensure that the disclosures in the subsequent filings meet the requirements of Item 1.05.”
Gerding recommends that in determining the significance of an incident and assessing its impact, companies should evaluate all relevant factors and not just their “financial condition and results of operations.” Rather, he advises, “consider qualitative as well as quantitative factors,” such as whether the incident “will cause harm to…” [its] “reputation, customer or vendor relationships, or competitive position,” and “potential litigation or regulatory investigations or actions, including regulatory actions by state and federal authorities and authorities outside the United States.”
Gerding also addresses circumstances in which a company may determine that a significant cybersecurity incident is material even before assessing its reasonably possible impact. Gerding advises that in that case, the company should amend its Form 8-K to include a statement in Item 1.05 of the Form 8-K indicating that the company has not yet determined the impact (or reasonably possible impact) of the incident and will disclose that impact as soon as the information becomes available. However, the initial Form 8-K filing should provide investors with the information necessary to understand key aspects of the nature, scope and timing of the incident, even though the company cannot determine the impact (or reasonably possible impact) of the incident at that time.”
[View source.]
