SEC final rule on reporting material cybersecurity incidents
In July 2023, the US Securities and Exchange Commission (SEC) finalized its rule requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Though materiality is not a new concept in SEC regulations, in the context of cybersecurity incidents, materiality assessments and disclosure practices are evolving areas with little practical precedent or guidance to draw upon. Fundamentally, an incident is considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision.1 This includes assessing all relevant qualitative and quantitative factors, such as reputation, customer and vendor relationships, and competitiveness, in addition to financial and operational impacts, as well as potential litigation and regulatory actions.2
Disclosures under Item 1.05 of Form 8-K are supposed to be limited to material cybersecurity incidents. However, since the rule went into effect in December 2023, out of an abundance of caution, many companies have filed Item 1.05 Form 8-Ks despite not having made a materiality determination. At the International Association of Privacy Professionals’ April 2024 Global Privacy Summit in Washington D.C., SEC officials acknowledged that such “cover yourself 8-Ks” may be counterproductive.
SEC’s Director of the Division of Corporation Finance releases statement on material cybersecurity incident determination and disclosure
On May 21, 2024, the Director of the SEC’s Division of Corporation Finance issued a statement providing useful guideposts for assessing the SEC rule’s disclosure requirements under Item 1.05 of Form 8-K (the “Statement”). The Director reiterated that the intended use of Item 1.05 Form 8-K is to inform investors of material cybersecurity incidents, and to that end, delineated how companies should proceed when faced with a cybersecurity incident for which they have not yet made a materiality determination.
Specifically:
- If a company wishes to disclose an immaterial incident (i.e., an incident that has been determined as immaterial), it may do so by making a disclosure under Item 8.01 of Form 8-K, which is for disclosing “any events, with respect to which information is not otherwise called for by this form, that the registrant deems of importance to security holders.”3
- If a company has not yet made a materiality determination, it may make a disclosure under Item 8.01 of Form 8-K. Subsequently, if the incident is determined to be material, the company may file an Item 1.05 Form 8-K within four business days of the determination. It may refer to its prior Item 8.01 disclosure, but must ensure that the subsequent filing satisfies all Item 1.05 requirements.
The Statement also provides additional insight into the consideration in making a materiality determination. In particular, the Statement recognizes that while there are numerous factors to consider in determining an incident’s actual or reasonably likely impact, there may be some cybersecurity incidents “so significant” as to warrant a materiality determination even before ascertaining the incident’s impact or reasonably likely impact.4 The Statement does not define “so significant” any further and could be interpreted as a “catch-all” category that may nudge companies toward disclosure based on their specific circumstances, such as their industries or roles in the market.
In disclosing a “so significant” incident in an Item 1.05 Form 8-K, the company should provide investors with information necessary to understand the material aspects of the incident (i.e., nature, scope, and timing), and include a statement that it has not yet determined the incident’s impact or reasonably likely impact. The company should amend its Form 8-K to disclose the impact once that information becomes available.5
Takeaways
The Statement underscores the need for companies to establish, document, and maintain materiality determination and disclosure protocols as part of their cybersecurity incident response procedures. Companies should take into account their own unique circumstances and the particularities of each incident in making these decisions and document the assessment. Ultimately, it is important to keep in mind that despite the emerging nature of disclosure practices, purely defensive disclosures under Item 1.05 of Form 8-K may create investor confusion about the significance of the cybersecurity incident and could create a line of inquiry from the SEC.
Special thanks to Law Clerk Shushan Gabrielyan (Los Angeles, CA) for her assistance in the preparation of this content.
[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896] (Aug. 4, 2023), available at https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214.
[2] Id.
[3] SEC, Form 8-K, available at https://www.sec.gov/files/form8-k.pdf.
[4] Erik Gerding, Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents, SEC.gov(May 21, 2024), available athttps://www.sec.gov/news/statement/gerding-cybersecurity-incidents-05212024.
[5] Id.