Last month, the Director of the Division of Corporation Finance (“Director”) of the Securities and Exchange Commission (“SEC”) issued new guidance regarding disclosures of material cybersecurity incidents via Form 8-K under new cybersecurity rules the SEC adopted last year. Those rules require, in relevant part, that registrants disclose the occurrence of a cybersecurity incident via Form 8-K “that is determined by the registrant to be material” under a new Item 1.05. This post summarizes key takeaways from the guidance for public companies disclosing or considering disclosing a cybersecurity incident via Form 8-K under the SEC’s rules.

Do Not Use a Form 8-K Filed Under Item 1.05 to Report Incidents Pending Materiality Determination or Immaterial Incidents

Since the SEC’s new rules went into effect, several companies reported cybersecurity incidents under Item 1.05 using Form 8-K with statements to the effect that the company has not yet determined whether the incident was material. In the guidance, the Director criticizes that approach as confusing for investors, and emphasizes that companies should not report under Item 1.05 for incidents for which the company has not yet made a materiality determination, or for immaterial incidents.

A Form 8-K Filed Under Item 8.01 Is the Appropriate Method to Voluntarily Disclose Incidents Pending Materiality Determination or Immaterial Incidents

The guidance further states that it is not meant “to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination” or other immaterial incidents. But those voluntary disclosures, the Director explains, should be made under Item 8.01 to Form 8-K to avoid confusion or “dilut[ing] the value of Item 1.05 disclosures” for investors.

The Director also states that if a company subsequently determines an incident originally filed under Item 8.01 is material, it should file an Item 1.05 Form 8-K within four business days of the materiality determination. The Item 1.05 filing can also reference the prior Item 8.01 filing but must still satisfy Item 1.05’s requirements independently.

Materiality Determinations Can Be Distinct from Impact Determinations

Finally, the Director, in restating criteria relevant to the materiality determination, distinguishes between the determination of an incident’s impact or potential impact and the determination of whether the incident is “material”  for purposes of the SEC’s rule. To that end, the guidance states that there “may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact).” Such incidents, the guidance explains, should be disclosed in an Item 1.05 Form 8-K with “a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident” but otherwise including “information necessary to understand the material aspects of the nature, scope, and timing of the incident.” Companies following that approach would then amend the initial Form 8-K filing once the impact is determined.

Takeaways

The guidance makes clear that a report pursuant to Item 1.05 necessarily means that the incident is material. Companies should not, therefore, not use a Form 8-K under Item 1.05 as a means of hedging  the risk of not reporting an incident that it or the SEC may later determine to be material. Instead, companies should use and update an Item 8.01 Form 8-K as appropriate.

We also recommend companies document their materiality analysis and related considerations when determining whether to make Item 1.05 or 8.01 reports. Privacy lawyers should also take care to coordinate with SEC disclosure teams and counsel in making those determinations.