The U.S. Securities and Exchange Commission's (SEC) Division of Corporation Finance Director Erik Gerding released a statement on May 21, 2024, addressing Disclosure of Cybersecurity Incidents Determined to be Material and Other Cybersecurity Incidents. In it, Director Gerding addressed public companies' recent requirement to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and what he views as some companies' "confusing" use of Item 1.05 to disclose immaterial or not-yet-material information.
SEC Requirement to Disclose Material Cybersecurity Incidents on Form 8-K
In July 2023, the SEC adopted cybersecurity disclosure and incident response rules applicable to public companies (Rules). Among other things, the Rules require public companies to disclose material cybersecurity incidents under newly created Item 1.05 of Form 8-K. The trigger for disclosure under Item 1.05 is that a cybersecurity incident "is determined by the registrant to be material."
Materiality has long been viewed from the perspective of a reasonable investor and whether the information at issue (here a cybersecurity incident) has a substantial likelihood of significantly altering the "total mix" of information made available in connection with an investment decision. Basic Inc. v. Levinson, 485 U.S. 224 (1988).
Once a company determines a cybersecurity incident was (or is) material, it must timely disclose the incident within four business days. In his statement, Director Gerding noted that in addition to quantitative (i.e., financial) factors, companies should consider qualitative factors, including whether an incident will harm its reputation, customer or vendor relationships or competitiveness, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.
How Some Companies Are Disclosing Cybersecurity Incidents on Form 8-K; Gerding's Advice
At least 17 companies have disclosed cybersecurity incidents under Item 1.05 since the Rules became effective on Dec. 18, 2023. Among those, some have noted that the underlying incident did not have a material impact on the company at the time of the filing and that the company had not yet determined whether the incident was material. Director Gerding appears to view these as voluntarily disclosures. Certainly, some companies may opt to disclose an incident out of an abundance of caution due to the four-day Form 8-K filing requirement and a potential concern that the SEC's Division of Enforcement may unfavorably second-guess management's real-time efforts to determine whether or when a cybersecurity incident was material.
In the statement, Director Gerding advised that:
- If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).
- Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident "that is determined by the registrant to be material," and, in fact, the item is titled "Material Cybersecurity Incidents."
- In addition, in adopting Item 1.05, the Commission stated that "Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident."
- Therefore, it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.
In fact, this point applies to any Form 8-K item that requires disclosure for an event that meets a certain threshold (for cybersecurity incidents, the threshold is materiality). For events that fall below a mandated threshold but a company chooses to disclose, Item 8.01 has long been utilized as the item under which companies can and regularly do disclose so-called "Other Events;" that is, "events with respect to which information is not otherwise called for by this Form, that the registrant deems of importance to security holders." One such example may be an agreement for an acquisition that does not rise to the level of being a "material agreement" under Item 1.01 of Form 8-K but that a company wants the market to be aware of.
Key Takeaways
Disclosure of a cybersecurity incident – especially one that is ongoing – can create significant risk, including spotlighting enterprise vulnerabilities to other bad actors who may seek to exploit and harm the company and, by extension, its stockholders and others. Nevertheless, public companies must weigh those concerns against the risk of future SEC enforcement for failing to timely disclose an incident. Though the SEC might struggle to charge a company for failing to disclose (or failing to timely disclose) a cybersecurity incident where the company's records show it undertook a thorough and thoughtful materiality analysis, some companies may still be inclined to proactively disclose an incident (possibly to comply with Regulation FD or other collateral dissemination reasons such as when data breach notifications are made to customers or other stakeholders). For Director Gerding and the Division of Corporation Finance, such proactive disclosures may be within a company's discretion to make under Item 8.01 but preferably not under Item 1.05.
Public companies focused on understanding and complying with the Rules should continue to:
- ensure appropriate personnel within the company (and on the board) are trained, qualified and resource-supported to identify and address cybersecurity incidents and that they have access to members of management who participate in making disclosure determinations
- establish and follow clear, consistent and reliable practices for rigorous and fulsome materiality assessments of cybersecurity incidents that should involve appropriate subject matter experts and legal specialists within the company who are able to analyze the incident quantitatively and qualitatively
- document materiality assessment processes with guidance from internal compliance and legal
- if a cybersecurity incident is deemed material, ensure timely and complete disclosure under Item 1.05; if the company has not yet determined that an incident is material, carefully evaluate the risks and opportunities of disclosure under Item 8.01
- bear in mind that disclosing a cybersecurity incident under Item 8.01 does not eliminate an Item 1.05 disclosure at a later date; in other words, if a company disclosed a cybersecurity incident under Item 8.01 and later determined the incident to be material, the company must still disclose the cybersecurity incident under Item 1.05 within four business days upon determining the incident is material
Director Gerding's statement, made in his official agency capacity, is itself not a rule, regulation or statement of the SEC.
The Holland & Knight SECond Opinions Blog will continue to monitor these developments.