SEC Division of Corporation Finance Director Releases Statement on Material Cybersecurity Incident Disclosures
May 23, 2024
On May 21, 2024, Erik Gerding, the Director of the Securities and Exchange Commission’s (SEC’s) Division of Corporation Finance, issued a statement on “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents,” to clarify that it is only appropriate for a company to disclose a cybersecurity incident under Item 1.05 of Form 8-K (Material Cybersecurity Incidents) when the company has determined that the incident is material. Evidently, the impetus for issuing the statement is to prevent investor confusion or misperception of an Item 1.05 Form 8-K disclosure if a materiality determination has not yet been made.
The SEC adopted new rules in 2023 to enhance and standardize disclosures regarding cybersecurity processes and cybersecurity incidents by public companies. Among others, the rules amended the SEC’s Current Report on Form 8-K to add a new disclosure requirement under Item 1.05, which is triggered when a registrant determines that a cybersecurity incident it has experienced is material. Within four business days of such a materiality determination, registrants are required to disclose under Item 1.05, to the extent known at the time of the Form 8-K filing: (i) the material aspects of the nature, scope, and timing of the incident, and (ii) the material impact or reasonably likely material impact of the incident, including to the registrant’s financial condition and results of operations. A Form 8-K amendment must be filed to provide any required information that is not determined or is unavailable at the time of the initial Form 8-K filing.
Since December 18, 2023, the effective date of the SEC’s rules on cybersecurity incident disclosure, 17 companies have disclosed cybersecurity incidents under Item 1.05, and only one of those disclosures at the outset involved a cybersecurity incident that the company expressly disclosed was material. (One company made an affirmative materiality determination in an amendment to a previously filed Item 1.05 Form 8-K.) During this same period, five companies made voluntary disclosures of cybersecurity incidents under Items 7.01 or 8.01 of Form 8-K.
In his statement, Mr. Gerding encouraged companies to limit their disclosure of cybersecurity incidents under Item 1.05 of Form 8-K to those cybersecurity incidents that have been “determined by the registrant to be material.” If the company wishes to disclose a cybersecurity incident (i) that it has determined is not material, or (ii) for which it has not yet made a materiality determination, they are encouraged to do so under a different item of Form 8-K (e.g., Item 8.01).
Although voluntary filings are not expressly prohibited under Item 1.05, Mr. Gerding noted that disclosing material cybersecurity incidents separately from other cybersecurity incidents will avoid the “risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa” and will therefore “allow investors to . . . make better investment and voting decisions with respect to material cybersecurity incidents.”
Mr. Gerding provided the following guidance on timing:
- When a company voluntarily discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then subsequently determines that the incident is material, the company should file an Item 1.05 Form 8-K within four business days of its materiality determination. The Item 1.05 Form 8-K must satisfy the requirements of Item 1.05, even if the company chooses to refer to the earlier Item 8.01 Form 8-K in its subsequent filing.
- When a company determines that a cybersecurity incident is material, even though the company has not yet determined its impact (or reasonably likely impact), the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident.
Mr. Gerding also reminded companies to consider qualitative factors, in addition to the qualitative assessment of a cybersecurity’s impact on “financial conditions and results of operations” when making a materiality determination. Qualitative factors could include, for example, the impact of the incident on a company’s reputation, client and vendor relationships, or competitiveness, and the possibility of litigation or regulatory action arising out of the incident.
Materiality determinations are difficult, particularly with respect to cybersecurity incidents where the full extent and scope of the incident is often not fully understood for an extended period. A company suspecting or preparing for the worst―and cognizant of the potential significance of a cybersecurity incident to its various stakeholder constituencies―understandably feels pressure to provide disclosure about significant incidents shortly after discovery even if a materiality determination has not yet been made. Companies should take comfort in Mr. Gerding’s statement, however, even though it does not necessarily reflect the views of the SEC, its Commissioners or other members of the SEC staff. While materiality determinations will continue to be difficult and will often take time, Mr. Gerding’s statement clarifies that it is acceptable to provide disclosure under Form 8-K Item 8.01 during this period. Once disclosed under Item 8.01, we would expect that a company is less likely to face criticism (or potential liability) for failing to disclose earlier under Item 1.05 even if the timing of its materiality determination―and later Item 1.05 Form 8-K―is second-guessed in hindsight.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O’Melveny partner licensed to practice law in California; Shelly Heyduk, an O’Melveny partner licensed to practice law in California; Sid Mody, an O’Melveny partner licensed to practice law in Texas; Robert Plesnarski, an O’Melveny partner licensed to practice law in the District of Columbia and Pennsylvania; Michele W. Layne, an O’Melveny of counsel licensed to practice law in California; Scott W. Pink, an O'Melveny special counsel licensed to practice law in California and Illinois; and Aliza Cohen, an O'Melveny resource attorney licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.