Corp Fin Director Issues Statement on Cybersecurity Incident Information Sharing

Yesterday, Corp Fin director Erik Gerding made a new statement: Selective disclosure of information about cybersecurity incidents. As you know, last year the SEC issued new rules governing the disclosure of cybersecurity information, including requirements for both reporting material incidents under Item 1.05 of Form 8-K and periodic disclosure of material information related to cybersecurity risk management, strategy and governance. (See this PubCo post.) Gerding’s new testimony is intended to dissuade companies from the notion that the new rules prevent them from discussing information about a material cybersecurity incident with others, including their commercial counterparties, beyond what is included on the Form 8-K. Gerding assures us that “that is not the case.” But while the new rules may not prohibit disclosure, what about Reg FD?

According to Gerding, “Nothing in Item 1.05 prohibits a company from discussing a material cybersecurity incident privately with other parties or providing those parties with information about the incident beyond what is included in an Item 1.05 Form 8-K. These parties may include commercial counterparties such as suppliers and customers, as well as other entities that may be affected or at risk from the same incident or threat actor.” Gerding acknowledges that disclosure can help with “efforts to remediate, mitigate, or prevent risk.” In fact, as he notes, the rules even encourage appropriate information sharing in certain circumstances.

But what about Reg FD? While there is nothing in Form 8-K prohibiting further disclosure, some of these questions seem to arise from concerns about a potential violation of Reg FD. Gerding points out that there are “several ways a public company can privately share information about a material cybersecurity incident beyond what was disclosed in its Form 8-K Item 1.05 without violating Regulation FD. For example, the information about the incident shared privately may be immaterial, or the parties with whom the information is shared may not be among the types of persons covered by Regulation FD.” The types of persons covered would include brokers or dealers, investment advisers, investment companies and security holders, he notes. Or an exception may apply: “For example, if the information is disclosed to a person who owes a duty of loyalty or confidentiality to the issuer (such as a lawyer, investment banker or accountant) or if the person to whom the information is disclosed expressly agrees to keep the disclosed information confidential (e.g.if they enter into a confidentiality agreement with the issuer), then public disclosure of this privately disclosed information is not required under Regulation FD.”

Gerding concludes that while he understands the reluctance of some companies to share the information confidentially, the SEC rules “generally do not prohibit the sharing of such information.” Reg FD has been around for 20 years, and public companies should be familiar with the “vernacular of these rules… (W)hen the scope and requirements of these rules are observed, they should not constitute an unreasonable impediment to the mutually beneficial sharing of information about material cybersecurity incidents.”

(View source code.)

Related Posts

Amber Alert lifted for 2 missing boys in Central Ohio

“Sir, we have hit another submarine”: Russian and US navies collided with attack submarines

Chinese, Iranian and Russian gangs are attacking US drinking water and authorities are alarmed