Corporation Finance Director Speaks to Information Sharing Following Cybersecurity Disclosure

Stephen Quinlivan
Stinson - Corporate & Securities Law Blog
Contact
LinkedIn
Facebook
X
Send
Embed

Stinson - Corporate & Securities Law Blog

Erik Gerding, Director, SEC Division of Corporation Finance, issued a statement to clear up misconceptions following filing of an 8-K disclosing a cybersecurity incident.

According to Mr. Gerding, some companies are under the impression that if they experience a material cybersecurity incident, the SEC’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  Mr. Gerding added “That is not the case.”

According to the statement, nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.

Mr. Gerding also addressed selective disclosure questions under Regulation FD.  As is well-known, Regulation FD requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, as specified in the regulation.  Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD.

“Nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents” according to Mr. Gerding.  There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD:

  • For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.
  •  Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply.
  •  For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant) or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson - Corporate & Securities Law Blog | Attorney Advertising

Written by:

Stinson - Corporate & Securities Law Blog
Stinson - Corporate & Securities Law Blog
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Stinson - Corporate & Securities Law Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide