SEC Division of Corporation Finance Clarifies Disclosures of Material Cybersecurity Incidents on Form 8-K | Kramer Levin Naftalis & Frankel LLP

On May 21, 2024, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement on the new requirement to disclose material cybersecurity incidents on Form 8-K. The SEC’s latest cybersecurity disclosure rules (discussed here) took effect for most companies on December 18, 2023, and require public companies to disclose incidents that are “determined by the registrant to be material” under Item 1.05 of Form 8-K. In fact, Item 1.05 is titled “Material Cybersecurity Incidents” and the related press release states that Item 1.05 “is not a voluntary disclosure and is material by definition because it is not triggered until the company determines the materiality of an incident.” According to Item 1.05, the company must make a materiality determination “without undue delay” and based on whether there is a substantial probability that a reasonable investor would consider the information to be important or whether it would have significantly changed the overall mix of available information. If a listed company considers an incident to be “material,” it must report it within four business days.

Since the new rules took effect about five months ago, many companies have chosen, out of caution, to voluntarily report cybersecurity incidents under Item 1.05, even if the company had not yet made a materiality determination or had determined the incident to be immaterial. Although Gerding’s statement recognizes the value of such voluntary disclosures and the text of Item 1.05 does not explicitly prohibit voluntary disclosures, the statement raised concerns that reporting immaterial cybersecurity incidents under Item 1.05 could cause investor confusion or dilute the value of Item 1.05.

Given the frequency of both tangible and intangible cybersecurity threats that publicly traded companies face on a daily basis, Gerding encouraged companies to use Item 8.01 (Other Events) to voluntarily report cybersecurity incidents that were not deemed material. This distinction “allows investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents. … (W)hen all cybersecurity incidents are disclosed under Item 1.05, there is a risk that investors may incorrectly classify intangible cybersecurity incidents as material and vice versa.”

Companies should carefully consider which item on Form 8-K they use when disclosing cybersecurity incidents. If the company has not yet made a materiality determination but chooses to voluntarily disclose a cybersecurity incident, it should do so under Item 8.01. However, if the company receives additional information or later determines that the same incident is material, it should file another Form 8-K within four business days of that determination and report the incident under Item 1.05. Finally, for all material incidents, whether first reported under Item 1.05 or Item 8.01, the company should make sure it discloses the impact of the incident in a manner that meets all of the requirements of Item 1.05. This means that companies can sometimes file an amendment on Form 8-K/A if they learn new details about a material incident after the four business day deadline.