Insight

New SEC guidance on cybersecurity incident disclosures

The Director of the Division of Corporation Finance of the SEC issued a statement yesterday relating to the recent SEC cybersecurity disclosure rules that require public companies to disclose the occurrence of material cybersecurity events on Form 8-K under a new Item 1.05.

In the statement, the Director commented on a practice that has developed among certain public companies to voluntarily file an Item 1.05 Form 8-K to report that the company has experienced a cybersecurity incident before a determination has been made that the incident is material. 

The Director points out that, although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 requires disclosure of a cybersecurity incident that the company determined to be material (indeed, the item is titled “Material Cybersecurity Incidents”) and encourages companies that want to disclose a cybersecurity incident but have not yet made a materiality determination, or have determined that a cybersecurity incident is not material, to disclose that cybersecurity incident under a different item of Form 8-K.

The statement makes clear that the Division is not suggesting that voluntary filings are prohibited or discouraged. Rather, the Division wants to reserve Item 1.05 for a cybersecurity event that a company has determined is material. The Director cited concerns about investor confusion, particularly in light of the increasing number of cybersecurity incidents, noting that Item 1.05 was designed to allow investors to distinguish between cybersecurity incidents that are material and those that are not. 

Companies are choosing to file an Item 1.05 Form 8-K, even when a materiality determination has not yet been made, because they are concerned about being second guessed later if they ultimately determine the cybersecurity incident was material. The statement only reflects the Division’s views and does not amend the rule or Form 8-K, and so companies may continue to report a cybersecurity incident under Item 1.05 even if it is not likely to be material or if a materiality determination has not yet been made. We would, however, caution companies about deviating from the Division’s guidance.

Things to remember when disclosing cybersecurity incidents:

  • The Form 8-K requirement to disclose a cybersecurity incident is triggered by a determination of materiality. If the incident is not material or the determination has not yet been made, there is no technical requirement to file an Item 1.05 Form 8-K. The statement reminds companies to assess all relevant factors in making their materiality determinations.
  • If a company experiences a material cybersecurity incident then disclosure on Item 1.05 is required, even if the company does not know the extent of the impact or the scope of the incident. When the company knows that information, an amendment to the initial Form 8-K is required to update the filing. 
  • A voluntary disclosure of a cybersecurity incident may be appropriate in many circumstances even if the incident is not material or its materiality has not yet been determined. In those circumstances, the SEC’s statement encourages a company to consider disclosing that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01). The requirements of Item 1.05 may still serve as useful guidance for the content of such disclosure.
  • If a company discloses the occurrence of a cybersecurity incident under Item 8.01 (or Item 7.01) and later determines that the incident is material, the company must file an Item 1.05 Form 8-K within four business days of that determination to disclose that it experienced a material cybersecurity incident. This could be a new Form 8-K or an amendment to the initial Form 8-K. 

Our memorandum on the cybersecurity disclosure rules is linked here.