In brief
On May 21, 2024, Erik Gerding, Director of the US Securities and Exchange Commission (SEC) Division of Corporate Finance, issued a statement1 clarifying the SEC’s expectations for cybersecurity incident disclosures under the new Form 8-K Item 1.05. Gerding’s statement clarified that Item 1.05 disclosures should be reserved for material cybersecurity incidents, and voluntary disclosures of immaterial incidents, or of incidents before a materiality determination has been made, should be provided under a different item of Form 8-K, such as Item 8.01.
Key takeaways
The statement emphasizes that while Form 8-K Item 1.05 does not expressly prohibit voluntary filings, disclosures under the aptly named Item 1.05 Material Cybersecurity Incidents caption should be reserved for only cybersecurity incidents that a registrant has determined to be material. The statement explains that the reasoning for this distinction is investor understanding:
- Gerding notes that disclosure under Item 1.05 of non-material cybersecurity incidents may “result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents”.
- Nonetheless, voluntary disclosure of immaterial cybersecurity incidents, or incidents for which a materiality determination has not yet been made, are still encouraged and valuable to investors. These disclosures, however, should be provided under a separate Form 8-K Item, such as Item 8.01.
Given the distinct purpose of Form 8-K Item 1.05, a registrant’s disclosure requirements may likely evolve while determining the materiality of a cybersecurity incident:
- If a registrant makes a voluntary disclosure of an immaterial incident or a voluntary disclosure while continuing to assess materiality and subsequently makes a determination that the incident was or has become material, the registrant must file a new separate Item 1.05 Form 8-K. The new Form 8-K may refer to the earlier voluntary filing, but must include a standalone disclosure that fully complies with all requirements of Item 1.05.
- If an incident is so severe that a registrant determines the incident is material before the registrant can assess its full impact (or reasonably likely impact), a preliminary Item 1.05 Form 8-K disclosure should be made noting that the registrant has not yet determined the impact, but explaining the material aspects of the nature, scope, and timing of the incident. Once the impact has been assessed, the original Form 8-K should be amended.
In addition to clarifying the purpose of Item 1.05, Gerding also reiterated that a registrant should consider all relevant qualitative and quantitative factors required to determine the materiality of a cybersecurity incident. Likely in response to language included in early Item 1.05 disclosures, Gerding’s statement emphasized that consideration of the impact (or reasonably likely impact) on a registrant’s financial condition and results of operation alone is not sufficient to determine materiality. Gerding specifically cited to the adopting release for the SEC’s cybersecurity disclosure rules for a non-exclusive list of additional potential areas of impact, including:
- The registrant’s reputation and competitiveness
- The registrant’s customer or vendor relationships
- The possibility of litigation
- The possibility of regulatory investigations or actions, including regulatory actions by states, federal governmental authorities, and non-US authorities
While voluntary disclosures of cybersecurity incidents continue to be valuable to investors, the marketplace, and ultimately to registrants, registrants should ensure that such disclosures are made under the appropriate Item. If a cybersecurity incident is not reported under the correct Form 8-K Item, the SEC would likely view this as creating a risk that investors will misunderstand the significance of the cybersecurity incident. Therefore, where an incident is material, registrants should file an Item 1.05 Form 8-K within four business days of such materiality determination.
1 Gerding’s statement was provided in his official capacity as the Commission’s Director of the Division of Corporation Finance but does not necessarily reflect the views of the SEC, Commissioners, or other members of the staff.