As questions and commentary continue to arise with respect to the SEC’s rules on disclosure of material cybersecurity incidents, the SEC staff has sought to provide additional guidance on the application of the final cybersecurity disclosure rules.^[1] On June 20, 2024, Erik Gerding, the Director of the SEC’s Division of Corporation Finance, released a statement on the selective disclosure of information regarding cybersecurity incidents. This statement follows his statement from a month ago relating to disclosures made under Item 1.05 of Form 8-K. A prior Known Trends post discussed this statement.

In this latest statement, Gerding addresses the concern expressed by some companies “that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.” While the statement makes clear that Item 1.05 does not prohibit companies from privately discussing the incident with other parties or providing information beyond what the company includes in its Form 8-K, it discusses the implications of Regulation FD on these private discussions.

As a reminder, Regulation FD prohibits selective disclosure of material nonpublic information to 1) market professionals (e.g., brokers, dealers, investment advisers) and 2) security holders under circumstances in which it is reasonably foreseeable that the security holder will trade on the basis of the information (collectively, the Covered Persons), unless the company publicly discloses the information simultaneously, in the case of an intentional disclosure, or promptly, in the case of an unintentional disclosure. In addition, Regulation FD carves out communications with persons who owe a duty of trust or confidence to the company (e.g., lawyers, accountants), and communications made pursuant to an express agreement to maintain the disclosed information in confidence.

The statement clarifies that “nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents.” It then reminds companies of ways that they can share information regarding a material cybersecurity incident privately without implicating Regulation FD (i.e., without being required to disclose the information publicly either simultaneously or promptly, as applicable). A company may share information privately without implicating Regulation FD in circumstances where:

• the information shared is immaterial; 
• the parties with whom the information is being shared are not Covered Persons;
• the information is disclosed to a person who owes a duty of trust or confidence to the company; and/or
• the information is disclosed to a party that has expressly agreed to maintain the disclosed information in confidence including, for example, by entering into a nondisclosure agreement.

While companies may be hesitant and cautious about discussing an incident with other parties, in the cybersecurity context, there may be a variety of business reasons for doing so including, for example, where “those parties may assist with remediation, mitigation, or risk avoidance efforts” and where the sharing of information “may facilitate those parties’ compliance with their own incident disclosure and reporting obligations[.]”  The statement is a helpful reminder of the applicability of Regulation FD generally and, in particular, with respect to Item 1.05 disclosures.

^[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023)