On May 22, 2024, the Director of the Division of Corporation Finance (“Corp Fin”) of the Securities and Exchange Commission (“SEC”) issued further guidance regarding disclosure of cybersecurity incidents on Form 8-K. The statement builds upon and provides additional clarity to companies seeking to comply with the SEC’s 2023 cybersecurity rules, which require public companies to disclose “material cybersecurity incidents” under Item 1.05 of Form 8-K.
In light of numerous recent Item 1.05 filings stating that the disclosed cyber incident was either not material or that the company had not yet determined whether the incident was material, the Corp Fin guidance encourages companies to reserve disclosures under Item 1.05 for incidents which the company has concluded are material.
The guidance further encourages companies who may wish to voluntarily disclose immaterial cybersecurity incidents to do so under Item 8.01 of Form 8-K (rather than Item 1.05). If, however, the company voluntarily discloses an incident under Item 8.01 but later determines that the incident is, in fact, material, it must file under Item 1.05 within four business days of that materiality determination.
The Corp Fin statement is purportedly “not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial.” Rather, the guidance claims to encourage disclosures “in a manner that does not result in investor confusion or dilute the value of Item 1.05,” which is intended to allow investors to readily identify only material cybersecurity incidents.
The guidance also reiterates the breadth of factors companies should consider when assessing the materiality of a cybersecurity incident, which the SEC set forth in the Adopting Release issued with its 2023 cybersecurity rules. The statement underscores that materiality considerations “should not be limited to the impact on ‘financial condition and results of operation,’” and that companies should also consider qualitative factors such as reputational impact, customer or vendor relationships, and the possibility of litigation or government investigations.
Finally, the statement suggests that initially disclosing an incident under Item 8.01 may provide at least some comfort to public companies attempting to strike a balance between limiting the use of Item 1.05 to material cybersecurity incidents and not disclosing significant incidents and later being subject to hindsight determinations by the SEC that disclosure was required. In any event, given this guidance, companies that experience potentially material cybersecurity incidents should take care to document their materiality analysis and disclosure considerations and determinations, and to involve disclosure counsel in such discussions.
Our team has significant experience navigating these challenging issues. We are here to help public companies in this quickly evolving cybersecurity incident disclosure landscape.