Erik Gerding, Chief Financial Officer of the Division of the United States Securities and Exchange Commission (SEC), issued a statement on May 21, 2024, addressing Disclosure of cybersecurity incidents determined to be significant and other cybersecurity incidents. In it, Director Gerding addresses the recent requirement for public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and what he considers to be some companies' “confusing” use of the item. 1.05 to disclose immaterial or not yet material information.

SEC Requirement to Disclose Material Cybersecurity Incidents on Form 8-K

In July 2023, the SEC adopted cybersecurity disclosure and incident response rules applicable to public companies (Rules). Among other things, the rules require public companies to disclose material cybersecurity incidents under new Item 1.05 of Form 8-K. The trigger for disclosure under Section 1.05 is that a cybersecurity incident “is determined by the reporter to be material.”

Materiality has long been considered from the perspective of a reasonable investor and whether the information at issue (here a cybersecurity incident) was likely to significantly alter the “total mix” of information made available as part of an investment decision. Basic Inc. v. Levinson485 U.S. 224 (1988).

Once a company determines that a cybersecurity incident was (or is) material, it must timely disclose the incident within four business days. In his statement, Director Gerding noted that in addition to quantitative (i.e. financial) factors, companies should consider qualitative factors, including whether an incident will damage their reputation, relationships with customers or their suppliers or their competitiveness, as well as the possibility of litigation or regulation. investigations or actions, including regulatory actions taken by state and federal government authorities and by non-U.S. authorities.

How some companies disclose cybersecurity incidents on Form 8-K; Gerding's advice

At least 17 companies have disclosed cybersecurity incidents under Section 1.05 since the rules came into force on December 18, 2023. Of these, some noted that the underlying incident did not have a material impact on the company at the time of filing and that the company had not yet determined whether the incident was material. Director Gerding appears to consider this information to be voluntary disclosures. Certainly, some companies may choose to disclose an incident out of an abundance of caution due to the requirement to file Form 8-K within four days and the potential fear that the SEC's Division of Enforcement may management's real-time efforts to determine if or when a cybersecurity incident was material.

In the statement, Director Gerding indicated that:

If a company chooses to disclose a cybersecurity incident that the company has not yet determined is material, or a cybersecurity incident that the company has determined is not material, the Division of Corporation Finance encourages the company to disclose this cybersecurity incident under another item on the list. Form 8-K (e.g., Section 8.01).

Although the text of Section 1.05 does not expressly prohibit voluntary filings, Section 1.05 was added to Form 8-K to require disclosure of a cybersecurity incident “that is determined by the filer to be material ” and, in fact, the article is titled “Cybersecurity Hardware Incidents.”

Additionally, in adopting Item 1.05, the Commission stated that “Item 1.05 does not constitute a voluntary disclosure and is by definition material because it is only triggered when the company has determined the materiality of an incident.”

Therefore, it could be confusing to investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Section 1.05.

In fact, this point applies to any item on Form 8-K that requires disclosure of an event that meets a certain threshold (for cybersecurity incidents, the threshold is materiality). For events that fall below a mandatory threshold but which a company chooses to disclose, section 8.01 has long been used as the basis under which companies can and routinely disclose what are called “Other Events”. ; that is, “events with respect to which information is not otherwise required by this Form and which the registrant considers important to securityholders.” One such example might be an agreement for an acquisition that does not constitute a “material agreement” within the meaning of Item 1.01 of Form 8-K but of which a company wishes the market to be aware.

Key takeaways

Disclosure of a cybersecurity incident – ​​particularly if it is ongoing – can create significant risk, including highlighting the company's vulnerabilities to other malicious actors who may seek to exploit and harm the company. the company and, by extension, its shareholders and others. Nonetheless, public companies must weigh these concerns against the risk of future SEC enforcement for failing to disclose an incident in a timely manner. Although the SEC may have difficulty charging a company with failing to disclose (or fail to timely disclose) a cybersecurity incident when the company's records show that it undertook a thorough analysis and consideration of materiality, some companies may still be inclined to proactively disclose an incident (possibly to comply with Regulation FD or other collateral release reasons, such as when data breach notifications are issued to customers or other stakeholders). For Director Gerding and the Company's Finance Division, such proactive disclosures may be at the Company's discretion under Item 8.01, but preferably not under Item 1.05.

Public companies interested in understanding and complying with the rules should continue to:

ensure that appropriate personnel within the company (and on the board of directors) are trained, qualified and resourced to identify and address cybersecurity incidents and have access to participating management in decision-making regarding disclosure

establish and follow clear, consistent and reliable practices for rigorous and comprehensive assessments of the materiality of cybersecurity incidents which should involve appropriate subject matter experts and legal specialists within the enterprise, capable of analyzing the incident quantitatively and qualitatively

document materiality assessment processes with guidance from internal compliance and legal departments

if a cybersecurity incident is deemed significant, ensure full and timely disclosure in accordance with point 1.05; If the company has not yet determined that an incident is material, carefully evaluate the risks and opportunities for disclosure under Section 8.01.

keep in mind that disclosure of a cybersecurity incident under Section 8.01 does not eliminate a disclosure under Section 1.05 at a later date; in other words, if a company has disclosed a cybersecurity incident under section 8.01 and subsequently determined that the incident was material, the company must still disclose the cybersecurity incident under section 1.05 in the four business days after determining that the incident is significant.

Director Gerding's statement, made in his official agency capacity, does not in itself constitute a rule, regulation, or statement of the SEC.

Director Gerding's statement, made in his official agency capacity, does not in itself constitute a rule, regulation, or statement of the SEC.