On May 21, 2024, the Director of the SEC’s Division of Corporation Finance released a statement relating to cybersecurity incident disclosures on Form 8-K. While it does not reflect a rule, regulation or official statement of the SEC, the Director’s statement provides guidance on using Form 8-K to disclose a material cybersecurity incident.[1]
Since December 15, 2023, 17 companies have filed one or more disclosures under Item 1.05 of Form 8-K, and, despite the fact that a materiality determination is the trigger for disclosure under Item 1.05, only two of those companies have affirmatively stated that the disclosed cybersecurity incident was material or is expected to have a material impact. In light of these filings and in order to guide practice going forward, the Director’s statement addressed a few key areas:
- Item 1.05 vs. Item 8.01. The Director emphasized that Item 1.05 should be reserved for use only when it has been determined that a cybersecurity incident is, in fact, material. While taking care not to discourage voluntary disclosure, the Director clarified that voluntary disclosures of incidents that have not yet been determined to be material or that have been determined to be immaterial should instead be provided under Item 8.01 so as to not confuse investors.
- Materiality Factors. The Director underscored that the factors to be considered in determining whether a cybersecurity incident is material include not only the impact on financial condition or results of operations, but, also, other relevant qualitative factors such as reputational harm, impact on customer or vendor relationships, competition, and the possibility of litigation, regulatory investigations or other actions (including state, federal and non-U.S. authorities). See discussion in the Adopting Release on pages 29-30 (here).
- Unknown Impacts of a Material Incident. The Director acknowledged that there may be instances when an incident is so significant that it is clearly material, but the company has not yet determined the impact that is required to be disclosed under Item 1.05. In those instances, since the incident has been determined to be material, initial disclosure is required to be provided under Item 1.05 within four business days of such determination. The initial 8-K should include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident (including information necessary to understand the material aspects of the nature, scope and timing of the incident), and then provide the required information on the material impact in an amendment to the Form 8-K once it is available, consistent with Instruction 2 to Item 1.05.
What to Do Now?
In light of the Director’s statement, companies now have some additional guidance to assist with their consideration of whether and, if so, how best to disclose cybersecurity incidents on Form 8-K and improve the clarity of the disclosures for investors. Based on this guidance, companies should keep in mind the following when making decisions regarding disclosure of significant and/or material cybersecurity incidents:
- Develop or review existing frameworks for considering the differences between a significant incident that the company believes is important for investors to know about but does not rise to the level of material, versus a material incident that would be required to be disclosed under Item 1.05 of Form 8-K.
- Review and update disclosure controls and procedures around determining materiality of cybersecurity incidents to confirm that the factors identified by the Director and other factors specific to the company’s business or industry are evaluated, including reputational harm, impact on customer or vendor relationships, competition, and the possibility of litigation, regulatory investigations or actions (including state, federal and non-U.S. authorities).
- After making voluntary disclosure of a significant – but maybe not material – cybersecurity incident under Item 8.01 and later determining that the incident is material, be sure to file an Item 1.05 Form 8-K within four business days of such determination that includes all of the required information, even if some of the information was previously disclosed under Item 8.01. (The 8-K can refer back to the initial disclosure under Item 8.01, but must satisfy all the requirements of Item 1.05).
- Provide required disclosures promptly, as materiality determinations are made. If an incident is material and particularly significant, but at the time of filing a required 8-K not all of the information required by Item 1.05 is available, state that fact in the disclosure and promptly amend the filing when the additional information is known.
For more information on the SEC’s cybersecurity disclosure rules, see our prior alerts here and here.
[1] Item 1.05 of Form 8-K requires companies that experience a cybersecurity incident they determine to be material to file an 8-K describing the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. Before the requirement became effective on December 15, 2023, there was not a specific cybersecurity incident disclosure requirement under Form 8-K, but companies disclosed incidents under Item 8.01, as applicable, if they determined they were to be material and/or significant to investors.