The U.S. Securities and Exchange Commission (“SEC”) adopted a final rule on July 26, 2023 that requires public companies to disclose material cybersecurity incidents under new Item 1.05 of Form 8-K. Since its adoption, public companies have faced practical challenges in determining whether and when a cybersecurity incident warrants disclosure under Item 1.05.
On May 21, 2024, roughly six months after the final rule’s effective date, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement signaling that public companies should consider disclosing incidents in a different fashion under a Form 8-K. Specific points of note:
- Immaterial Incidents. Public companies that disclose cybersecurity incidents that either are not material or have not yet been determined to be material are “encourage[d]” to “disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01)” as opposed to Item 1.05. Item 8.01 (Other Events) is the “catch-all” disclosure provision of Form 8-K, whereby disclosures made will not be deemed an admission by the reporting company as to the materiality of the reported event.
- Immaterial Incidents Later Deemed Material. “If a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination.” Public companies must still must determine “without unreasonable delay, whether the incident was material.”
- Material Incidents Whose Impact Has Not Been Determined. In “cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact) . . . the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.”
Director Gerding explained that he issued this statement because “it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.” While not explicitly stated, Director Gerding’s announcement is likely in response to several voluntary disclosures of cybersecurity incidents that use Item 1.05 on the Form 8-K to disclose the incident, but which indicate a lack of firm determination by the disclosing company as to the materiality of the reported incident and its purported impact.
This latest statement from the SEC provides some direction regarding how and where to disclose an incident on a Form 8-K when the materiality determination has not yet been made, or if the incident is immaterial. However, the statement offers little guidance for companies looking for clarity on understanding whether an incident is material by explaining that companies “should assess all relevant factors” when making the determination. It remains to be seen how public companies will digest these statements by the SEC as they relate to cybersecurity incident disclosure.