On May 21, 2024, Erik Gerding, director of the Division of Corporation Finance of the U.S. Securities and Exchange Commission (SEC), issued a statement with clarifying guidance on cybersecurity incident disclosure under Item 1.05 (Material Cybersecurity Incidents) of Form 8-K. The central message of the statement is that voluntary disclosure of cybersecurity incidents that have not been found to be material or for which a materiality determination has not yet been made should not be disclosed under Item 1.05 of Form 8-K. Such disclosures are better made under Item 8.01 (Other Events) of Form 8-K.
While the guidance is not a formal statement by the SEC or otherwise legally binding, companies making disclosure decisions should carefully consider the guidance.
Background
On July 26, 2023, the SEC adopted new Item 1.05 of Form 8-K, which requires that public companies disclose any cybersecurity incident that is determined to be material and describe the material aspects of the nature, scope, and timing of the incident as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. Companies must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined to be material, file an Item 1.05 Form 8-K within four business days of such determination. A company is required to file an amendment to its Form 8-K filing if certain required information was not available at the time of the initial filing within four business days of determining such information or after such information becomes available. The new disclosure obligation became effective on December 18, 2023.
In the five months since the effective date, 17 companies have disclosed cybersecurity incidents under Item 1.05 of Form 8-K. In nearly all of those filings, companies have included language to the effect that they do not believe the cybersecurity incident has had or is likely to have a material impact on the company's financial condition or results of operations. Most disclosures also indicate that an investigation of the incident is ongoing; accordingly, the full scope, nature, and impact of the cybersecurity incident are not yet known. Except for one company that indicated in its Form 8-K an expectation that the cybersecurity incident would have a material impact on its results of operations for the fourth quarter of 2023, no companies stated that the cybersecurity incident was material to the company. While each of these situations is unique, investors could potentially be confused about the materiality of a cybersecurity incident when a company discloses the incident under Item 1.05 of Form 8-K but includes a statement that the cybersecurity incident has not had, or is not likely to have, a material impact on the company's financial condition or results of operations.
Statement on Item 1.05 (Material Cybersecurity Incidents) of Form 8-K
As reflected in Mr. Gerding's statement, the SEC staff encourages disclosure of a cybersecurity incident for which a company has not yet made a materiality determination or a cybersecurity incident that a company determined was not material under a different item of Form 8-K than Item 1.05, such as Item 8.01:
Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident "that is determined by the registrant to be material," and, in fact, the item is titled "Material Cybersecurity Incidents." In addition, in adopting Item 1.05, the Commission stated that "Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident." Therefore, it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05. [footnotes omitted]
Mr. Gerding emphasizes that the statement is not intended to discourage voluntary disclosure of cybersecurity incidents that do not (yet) fall under the disclosure mandate of Item 1.05; "[r]ather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents." Instead, the Division of Corporation Finance staff encourages companies to disclose such cybersecurity incidents under a different item of Form 8-K, such as Item 8.01(Other Events). Mr. Gerding further explains:
Given the prevalence of cybersecurity incidents, [the] distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents. By contrast, if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.
The statement includes a recognition that a company may determine that, after further investigation, a cybersecurity incident that it initially disclosed voluntarily under Item 8.01 is, in fact, material for purposes of Item 1.05. In such situations, the company should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination. The new filing may refer to the earlier Item 8.01 Form 8-K but must independently satisfy the specific requirements of Item 1.05.
The SEC made clear in the adopting release for Item 1.05 of Form 8-K that "materiality" is to be determined consistent with the standard set out in case law addressing materiality in the securities laws — information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision or if it would have "significantly altered the 'total mix' of information made available."
Mr. Gerding's statement reiterates guidance in the adopting release on considerations for companies assessing the materiality of a cybersecurity incident. Specifically:
- The assessment should not be limited to the impact on financial condition and results of operation.
- Companies should consider qualitative factors alongside quantitative factors, such as whether the incident will harm its reputation, customer or vendor relationships, or competitiveness.
- Companies should consider the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal authorities and authorities outside the United States.
The materiality assessment guidance also describes a scenario in which a company experiences a cybersecurity incident that is so significant that it can be deemed material, even though the company has not yet determined its impact (or reasonably likely impact). In such a case, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available. The initial Item 1.05 filing must provide investors with the information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company's inability to determine the incident's impact (or reasonably likely impact) at that time.
* * *
Mr. Gerding's statement is just the latest indication of the agency's focus on cybersecurity. For example, the SEC adopted new rules on May 16, 2024, that mandate registrants in the financial services industry to adopt written policies and procedures and safeguards related to customer records and information. The SEC's Division of Corporation Finance staff has continued to emphasize the applicability of its 2018 interpretive guidance on the importance of adopting disclosure controls and procedures that enable companies, among other things, to identify and evaluate cybersecurity risks and incidents, make sure information is reported up to management and appropriate committees, assess and analyze their impact on a company's business, and make timely disclosures. The SEC's Division of Enforcement has also been active, pursuing actions against companies for allegedly misleading disclosures about the impact of data breaches and other cybersecurity incidents.
Beyond securities law compliance, there are myriad intertwined issues and legal risk and operational considerations that arise from cybersecurity incidents, including investigations, private litigation, state and federal law enforcement actions, and data preservation and management requirements. Please reach out to your Goodwin client team for help in assessing the most effective way to address your cybersecurity counseling needs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.