On May 21, 2024, Erik Gerding, Director of the Division of Corporation Finance at the Securities and Exchange Commission, issued a statement clarifying when the SEC expects companies to disclose cyber incidents. This clarification allows public companies that want to disclose a cyber incident but have not yet determined whether the incident is material to file under Item 8.01 of voluntary disclosures, rather than Item 1.05, which applies only to material cybersecurity incidents.
Summary of SEC Rule Disclosure Requirements
In summary, the SEC rules and obligations thereunder require:
| 1. | If a listed company determines that a cybersecurity incident is material, it will be required to disclose a description of material aspects of the nature, scope, and timing of the incident. At the inner four The business day on which the event is deemed significant. |
| 2. | This disclosure must be made by filing a Form 8-K pursuant to the rules governing the Securities Exchange Act of 1934. |
| 3. | The determination of materiality must be made without undue delay after discovery of the incident. |
| Four. | The only basis for a four-business-day delay in the deadline for submitting a report is a direct written request from the U.S. Attorney General to protect national security or public safety. |
| Five. | The Form 8-K must address the following to a known extent: |
| a) | A general description of when the incident was discovered and whether it is ongoing. |
| b) | A brief description of the nature and scope of the incident. |
| c) | Whether any data was stolen or altered in connection with the incident. |
| d) | the impact, or reasonably possible impact, of the Incident on the Company's operations, including its financial condition and results of operations; and |
| e) | Has the company remediated the incident or is it currently remediating it? |
Overreporting under item 1.05
As GT previously reported, since the SEC's Cybersecurity Incident Disclosure Rule (SEC Rule) went into effect on December 18, 2023, about a dozen companies have reported significant cybersecurity incidents on Form 8-K. is being submitted. GT highlights five notable trends, including reports by companies that have not yet seen a material impact on their financial condition or results of operations, and those that have subsequently determined that the cybersecurity incident did not have a material impact. Did. Reviewing these early Item 1.05 filings, we see confusion in the market as to when materiality is triggered for reporting purposes, as well as some fear that they will be criticized for not reporting in a timely manner. This reflects the concerns of listed companies.
The SEC has taken note of this trend. In a statement, Gerding said the SEC “does not want to discourage companies from voluntarily disclosing cybersecurity incidents whose materiality they have not yet determined, or from disclosing incidents that companies determine are immaterial,” because such disclosures may be valuable to investors, the market, and the company. But the SEC clarified that Item 1.05 is only for incidents that registrants consider material, and that using it for immaterial or undetermined incidents could confuse investors.
Instead, the SEC directs companies that wish to disclose cybersecurity incidents that may be significant but have not yet been deemed significant to disclose the incidents under Item 8.01 Form 8-K, which applies to voluntary disclosures. Gerding is of the opinion that a clear distinction between filings under Item 1.05 (significant incidents) and Item 8.01 (voluntary disclosures) will help investors make informed decisions.
If an incident initially disclosed under Item 8.01 is later found to be significant, the company must file an Item 1.05 Form 8-K within four business days of that determination. According to the SEC, this approach is intended to ensure transparency while avoiding investor confusion and preserving the completeness of disclosures about significant cybersecurity incidents.
Companies that have incorporated the SEC's new disclosure rules into their incident response plans should consider incorporating the SEC's guidance. This clarification should provide some relief to companies that have been victims of cybersecurity incidents that did not meet the materiality threshold but are concerned about being penalized for failing to timely file disclosures under the new cybersecurity reporting rules.
