Eric Gerding, Director of the Division of Corporation Finance at the U.S. Securities and Exchange Commission (SEC), issued a statement on May 21, 2024, addressing disclosure of cybersecurity incidents determined to be material and other cybersecurity incidents. In it, Director Gerding addressed public companies' recent requirement to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and what he believes to be “confusing” use of Item 1.05 by some companies to disclose non-material or not yet material information.
SEC Disclosure Requirements for Material Cybersecurity Incidents on Form 8-K
In July 2023, the SEC adopted the Cybersecurity Disclosure and Incident Response Rule (the Rule) applicable to public companies. Among other things, the regulations require public companies to disclose material cybersecurity incidents under the newly created Item 1.05 of Form 8-K. The trigger for disclosure under Item 1.05 is that a cybersecurity incident is “determined to be material by the registrant.”
Materiality has long been viewed from the perspective of a reasonable investor and has been a question of whether the information at issue (here a cybersecurity incident) is likely to materially alter the “total mix” of information available that is relevant to an investment decision. Basic Corp. v. Levinson485 U.S. 224 (1988).
If a company determines that a cybersecurity incident is significant (or material), it must make a timely disclosure of the incident within four business days. In addition to quantitative (i.e., financial) factors, Commissioner Gerding said in a statement, companies should also consider qualitative factors such as whether the incident will adversely affect their reputation, customer or vendor relationships, or competitive position, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state or federal authorities or authorities outside the United States.
How some companies disclose cybersecurity incidents on Form 8-K: Guarding Advice
At least 17 companies have disclosed cybersecurity incidents under Section 1.05 since the rule took effect on December 18, 2023. Some of them stated that the underlying incident did not have a material impact on the company at the time of filing, stating: The company had not yet determined whether the incident was serious. Director Gelding appears to view these as voluntary disclosures. To be sure, some companies are wary of the four-day Form 8-K filing requirement and the potential concern that the SEC Enforcement Division could adversely infer management's real-time efforts. You may choose to disclose the incident from depth. Whether or when the cybersecurity incident was significant.
In a statement, Gerding offered the following advice:
- If the Division of Corporation Finance chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination or which it has determined to be immaterial, the Division of Corporation Finance encourages companies to disclose the cybersecurity incident under a separate item in their Form 8-K (e.g., Item 8.01).
- Although the language in Item 1.05 does not expressly prohibit voluntary submissions, Item 1.05 does not explicitly prohibit voluntary submissions, but Item 1.05 does not explicitly prohibit voluntary filings on Form 8-K to require disclosure of cybersecurity incidents “determined to be material by the registrant.” In fact, this item is titled “Major Cybersecurity Incident.”
- Moreover, in adopting Item 1.05, the Commission noted that “Item 1.05 is material by definition because it is not a voluntary disclosure and is not triggered until the company determines the significance of the incident.”
- Therefore, it may confuse investors if a company discloses immaterial cybersecurity incidents, or incidents for which a determination of materiality has not yet been made under item 1.05.
In fact, this point applies to any section of Form 8-K that requires disclosure of events that meet certain thresholds (in the case of cybersecurity incidents, the threshold is materiality). For events that fall below the required threshold but that a company chooses to disclose, Item 8.01 has long been available as an item under which companies can, and regularly do, disclose so-called “other events,” which are “events for which information is not otherwise required in this form that the registrant considers to be material to security holders.” One such example would be an acquisition agreement that does not rise to the level of a “material agreement” under Item 1.01 of Form 8-K but that the company wants the market to be aware of.
Important points
Public disclosure of a cybersecurity incident, especially an ongoing one, could pose significant risks, including highlighting the company’s vulnerabilities to other bad actors seeking to exploit and harm the company and, by extension, shareholders and other companies. Nevertheless, public companies must weigh these concerns against the risk of future SEC enforcement for failing to timely disclose an incident. While the SEC may have a hard time charging a company with failing to disclose (or failing to disclose in a timely manner) a cybersecurity incident where the company’s records show it conducted a thorough and thoughtful materiality analysis, some companies may still be inclined to proactively disclose the incident (perhaps to comply with Regulation FD or other ancillary distribution reasons, such as when data breach notices are made to customers or other stakeholders). For Gelding Directors and Corporate Finance, such proactive disclosures may be within the company’s discretion to do so under Item 8.01, but preferably not under Item 1.05.
Publicly traded companies focused on understanding and complying with the rules should continue to:
- Ensure that appropriate personnel within the company (and on the board of directors) are trained, qualified and supported with resources to identify and respond to cybersecurity incidents, and have access to members of management who will participate in disclosure decisions.
- Establish and follow clear, consistent, and reliable practices for rigorous and thorough materiality assessments of cybersecurity incidents. This should involve appropriate in-house subject matter experts and legal experts who can analyze the incident quantitatively and qualitatively.
- Document the materiality assessment process in accordance with internal compliance and legal guidance
- If a cybersecurity incident is determined to be material, ensure timely and complete disclosure in accordance with Section 1.05. If the company has not yet determined the incident to be material, carefully assess the risks and opportunities of disclosure in accordance with Section 8.01.
- Please note that disclosing a cybersecurity incident under Item 8.01 does not preclude a later disclosure under Item 1.05. In other words, if a company discloses a cybersecurity incident under Section 8.01 and the incident is subsequently determined to be material, the company must still disclose the cybersecurity incident under Section 1.05 within four business days after determining that the incident is material.
Statements by Director Gerding in his official organizational capacity are not themselves SEC rules, regulations or statements.
The Holland & Knight SECond Opinions blog will continue to monitor these developments. For more information on the history of the rule, incident response considerations, and other SEC enforcement and rulemaking topics of interest, please contact the author or any other member of Holland & Knight's Securities Enforcement Defense Team.
