close
close

SEC Releases New Statement on Cybersecurity Incident Disclosure | Mintz – Viewpoints on Privacy and Cybersecurity

Last week, Erik Gerding, Director of the SEC’s Division of Corporation Finance (the Division), issued a statement(1) providing clarifications on the disclosure of cybersecurity incidents by reporting companies. This follows the Cybersecurity Rules adopted on July 26, 2023, which, among other things, require that material cybersecurity incidents be disclosed under Item 1.05 of Form 8-K (see our previous Viewpoints note).

The SEC’s clarification also follows an initial spate of “voluntary” disclosures of cybersecurity incidents under Item 1.05 of Form 8-K by reporting companies that apparently had not yet made a determination regarding the materiality of the reported incidents at the time of filing Item 1.05 of Form 8-K.



Here are the most important points from Erik Gerding’s statement. For more detailed information, please see Erik Gerding’s full statement here.

  1. Mandatory disclosure when determining materiality:
  • Under the Cybersecurity Rules adopted on July 26, 2023, reporting companies are required to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. This mandatory disclosure is triggered once the reporting company determines that the incident is material. The Department’s clarification emphasizes that the required filing under the Cybersecurity Rules is not voluntary, in response to the noted Form 8-K filings by some reporting companies that appear to have been made out of an abundance of caution.
  1. Key finding: Voluntary disclosure of non-material incidents:
  • Item 1.05 of Form 8-K does not specifically prohibit voluntary disclosure of immaterial cybersecurity incidents or incidents whose materiality is still being assessed because the SEC recognizes that such disclosures would be of value to investors and the market.
  • Voluntary disclosure of non-material events or events whose materiality has not yet been determined should be made under a different item on Form 8-K (e.g., Item 8.01). This would help avoid investor confusion (a primary concern of the Department) and preserve the meaning of the disclosures in Item 1.05.
  1. Updating information when determining materiality:
  • If a reporting company initially discloses a cybersecurity incident under Item 8.01 and later determines that the incident is material, it must file a Form 8-K under Item 1.05 within four business days of the determination.
  • The subsequent Item 1.05 of Form 8-K should refer to the prior disclosure under Item 8.01 and satisfy all requirements of Item 1.05 of Form 8-K. Therefore, multiple filings with the SEC may be necessary to fully disclose the events.
  1. Materiality assessment:
  • When assessing the materiality of a cybersecurity incident, reporting entities should consider both qualitative and quantitative factors. These factors include not only the impact (or the reasonably likely impact) on financial condition and results of operations, but also potential damage to reputation, relationships with customers or suppliers, competitiveness, and the likelihood of litigation or regulatory action, including those initiated by federal, state, and non-U.S. agencies.
  • Even if the full impact (or likely impact) of the incident is not yet known, cybersecurity incidents that are considered significant must be disclosed in Item 1.05 of Form 8-K, with a note that the impact assessment is still underway. Reporting companies must also amend Form 8-K to disclose the impact once it is known.


Foreign private issuers:

Foreign private issuers using Form 6-K would not be affected by this statement. Unlike Form 8-K, there is no equivalent to Item 1.05 on Form 6-K. Instead, Form 6-K requires foreign private issuers to disclose material cybersecurity incidents made public in a foreign jurisdiction to an exchange or security holders. However, Form 6-K does not specify a mandatory location for these disclosures.

Compliance timeline:

  • For all reporting companies, except smaller reporting companies, compliance with Item 1.05 of Form 8-K has been mandatory since December 18, 2023.
  • Smaller reporting companies must comply with the provisions of item 1.05 from 1 January 2018. June 15, 2024.

Significance for investors and reporting companies:

The new cybersecurity incident disclosure guidelines emphasize the importance of distinguishing between material and immaterial incidents and provide criteria for such distinctions to avoid investor confusion. This clarity is important for making informed investment and voting decisions. Accurate classification and timely disclosure are essential to maintaining transparency and trust in the market. Reporting firms should carefully assess and disclose cybersecurity incidents using these guidelines to ensure compliance and preserve market integrity.

Endnotes

(1) Director Gerding’s statement is not a rule, regulation or statement of the SEC and does not have the force or effect of law. According to the SEC, the statement does not change or add to applicable law and does not create any new or additional obligations for anyone.

(View source code.)