Latest Posts
Search for:
In Cybersecurity

United States: SEC clarifies cybersecurity incident reporting under Item 1.05 on Form 8-K

by , , , , and 4 Mins Read

In brief

On May 21, 2024, Erik Gerding, Director of the US Securities and Exchange Commission (SEC) Division of Corporate Finance, issued a statement1 clarifying the SEC’s expectations for cybersecurity incident disclosures under the new Form 8-K Item 1.05. Gerding’s statement clarified that Item 1.05 disclosures should be reserved for material cybersecurity incidents, and voluntary disclosures of immaterial incidents, or of incidents before a materiality determination has been made, should be provided under a different item of Form 8-K, such as Item 8.01.

Key takeaways

The statement emphasizes that while Form 8-K Item 1.05 does not expressly prohibit voluntary filings, disclosures under the aptly named Item 1.05 Material Cybersecurity Incidents caption should be reserved for only cybersecurity incidents that a registrant has determined to be material. The statement explains that the reasoning for this distinction is investor understanding:

  • Gerding notes that disclosure under Item 1.05 of non-material cybersecurity incidents may “result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents”.
  • Nonetheless, voluntary disclosure of immaterial cybersecurity incidents, or incidents for which a materiality determination has not yet been made, are still encouraged and valuable to investors. These disclosures, however, should be provided under a separate Form 8-K Item, such as Item 8.01.

Given the distinct purpose of Form 8-K Item 1.05, a registrant’s disclosure requirements may likely evolve while determining the materiality of a cybersecurity incident:

  • If a registrant makes a voluntary disclosure of an immaterial incident or a voluntary disclosure while continuing to assess materiality and subsequently makes a determination that the incident was or has become material, the registrant must file a new separate Item 1.05 Form 8-K. The new Form 8-K may refer to the earlier voluntary filing, but must include a standalone disclosure that fully complies with all requirements of Item 1.05.
  • If an incident is so severe that a registrant determines the incident is material before the registrant can assess its full impact (or reasonably likely impact), a preliminary Item 1.05 Form 8-K disclosure should be made noting that the registrant has not yet determined the impact, but explaining the material aspects of the nature, scope, and timing of the incident. Once the impact has been assessed, the original Form 8-K should be amended.

In addition to clarifying the purpose of Item 1.05, Gerding also reiterated that a registrant should consider all relevant qualitative and quantitative factors required to determine the materiality of a cybersecurity incident. Likely in response to language included in early Item 1.05 disclosures, Gerding’s statement emphasized that consideration of the impact (or reasonably likely impact) on a registrant’s financial condition and results of operation alone is not sufficient to determine materiality. Gerding specifically cited to the adopting release for the SEC’s cybersecurity disclosure rules for a non-exclusive list of additional potential areas of impact, including:

  • The registrant’s reputation and competitiveness
  • The registrant’s customer or vendor relationships
  • The possibility of litigation
  • The possibility of regulatory investigations or actions, including regulatory actions by states, federal governmental authorities, and non-US authorities

While voluntary disclosures of cybersecurity incidents continue to be valuable to investors, the marketplace, and ultimately to registrants, registrants should ensure that such disclosures are made under the appropriate Item. If a cybersecurity incident is not reported under the correct Form 8-K Item, the SEC would likely view this as creating a risk that investors will misunderstand the significance of the cybersecurity incident. Therefore, where an incident is material, registrants should file an Item 1.05 Form 8-K within four business days of such materiality determination.

1 Gerding’s statement was provided in his official capacity as the Commission’s Director of the Division of Corporation Finance but does not necessarily reflect the views of the SEC, Commissioners, or other members of the staff.

Categories:
Tags:
Author

Sali provides advice on a broad range of corporate and securities matters to clients in various industries including healthcare, technology, real estate, energy, manufacturing, consumer products and travel.

Author

Chris counsels NYSE and NASDAQ-listed companies, foreign private issuers and their boards of directors on offerings of debt and equity securities, proxy contests, negotiated and contested mergers and acquisitions, joint ventures and strategic alliances.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Jerome has extensive experience representing clients in government litigation and enforcement investigations before the SEC, DOJ, various United States Attorneys Offices and the Commodities Futures Trading Commission .

Author

Emily Nash is an associate in the North America Corporate & Securities Practice Group and resides in the Firm's Chicago Office.

Author

Anelis Villarreal is an associate in Baker McKenzie’s Houston office and is a member of the North America Transactional Practice Group.

Related Posts