1. Introduction
Erik Gerding, Director of the Division of Corporation Finance at the US Securities and Exchange Commission ("SEC"), recently issued two guidance statements regarding Item 1.05 of Form 8-K. Adopted by the SEC last year, Item 1.05 requires public companies to disclose material cybersecurity incidents. Gerding's first statement, issued in May, focused on the voluntary disclosure of cybersecurity incidents in Form 8-K. The second statement in June addressed Regulation Fair Disclosure ("Regulation FD") considerations regarding the private sharing of additional information on cybersecurity incidents.
2. Key Details
First Statement (May 2024)
Only cybersecurity incidents that companies have determined to be material should be disclosed under Item 1.05 of Form 8-K. In addition, to avoid investor confusion or the dilution of the value of Item 1.05 disclosures, if a company wishes to disclose a cybersecurity incident that is not material or has not yet been determined as material, the disclosure may be made under Item 8.01 of Form 8-K.
However, if the incident is later determined to be material, the company must file an Item 1.05 Form 8-K within four business days after the day of determination. The company may make a new submission referring to the previous disclosure under Item 8.01 but must meet all of the requirements of Item 1.05.
The SEC clarified that this statement is not intended to discourage companies from voluntarily disclosing cybersecurity incidents that have been determined as immaterial or have not yet been determined as material by companies.
The SEC also acknowledged that such voluntary disclosures can benefit investors, the market, and ultimately the company. It stated that this statement is not intended to dissuade companies from making such disclosures, but rather to encourage companies to make voluntary disclosures in a way that does not cause investor confusion or the dilution of the value of Item 1.05 disclosures of material cybersecurity incidents.
Second Statement (June 2024)
Item 1.05 of Form 8-K does not prohibit a company from privately discussing or sharing information about a material cybersecurity incident with other parties (such as suppliers, customers, companies at similar risk, etc.) or from disclosing information under Item 1.05 Form 8-K, which may facilitate correction, mitigation, risk avoidance efforts or compliance by those parties. If a cybersecurity incident that has been deemed material by the company occurs, Item 1.05 of Form 8-K requires the company to describe the significant aspects of the nature, scope, and timing of the incident and its material impact (or reasonably likely impact) on the company, including the company's financial status and results of operations. However, it does not prohibit the company from discussing material cybersecurity incidents privately with other parties or providing information to those parties beyond the information contained in Item 1.05 of Form 8-K.
Item 1.05 does not change the application of the SEC's Regulation FD to cybersecurity communications, and while Regulation FD requires the disclosure of material nonpublic information that is selectively disclosed to stock market experts and shareholders, whether such disclosure of nonpublic information prompts the application of Regulation FD depends on the disclosed information and the recipients of the information. A company may, with legal counsel, disclose such information privately without the application of Regulation FD by entering into a non-disclosure agreement covering nonpublic information.
The SEC stressed the importance of clarifying the scope and implications of Regulation FD. As many are aware, it reiterated that Regulation FD may demand the disclosure of material, nonpublic information that is selectively disclosed to stock market experts or shareholders. Furthermore, it stated that Regulation FD may be implicated in discussions regarding a cybersecurity incident depending on the disclosed information and the persons who receive the information.
Additionally, some companies may hesitate about privately sharing information about a material cybersecurity incident. However, as discussed above, since the SEC's rules generally do not prohibit the sharing of such information, and as Regulation FD's optional disclosure rules were adopted over 20 years ago, it is anticipated that compliance with the scope and requirement of the rules will not create excessive barriers to the mutually beneficial sharing of information about material cybersecurity incidents.
3. Implications
Companies should remember when determining the significance of a cybersecurity incident or assessing the impact (or reasonably likely impact), they should consider all relevant factors, including qualitative factors, such as reputation, customer and supplier relationship, competitiveness, likelihood of litigation, regulatory investigations or measures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.