In an era of pervasive cybersecurity threats, the U.S. Securities and Exchange Commission (SEC) has taken significant steps to enhance transparency and protect investors.
On May 21, 2024, the Director of the Division of Corporation Finance released a statement titled "Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents." This announcement clarifies the distinction between mandatory disclosure and voluntary disclosure for public companies under Form 8-K, specifically focusing on Items 1.05 and 8.01.
The guidance underscores the importance of clear communication regarding material cybersecurity risks, aiding investors in making informed decisions without deterring voluntary reporting. As cybersecurity incidents become more sophisticated, companies must navigate these updated disclosure requirements to ensure compliance and maintain investor trust.
Understanding the Requirements
Cybersecurity disclosure rules enacted by the SEC on July 26, 2023, require public companies to report certain cybersecurity incidents on Form 8-K, specifically under Item 1.05. This Item is designed for material cybersecurity events. Companies are required to file Form 8-K within four business days of determining that the cybersecurity incident is material.
What is a Cybersecurity Incident?
For the purposes of reporting on Form 8-K, a Cybersecurity Incident is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information system that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing there.
The definition is intended to be broad, and the requirement to file an 8-K may be triggered even if the material impact is caused by a series of individually immaterial-related cyber incidents.
How is Materiality Determined?
The SEC did not establish a special materiality definition for a cybersecurity incident. Instead, they relied on the definition of materiality established in several cases the Supreme Court addressed and articulated in rules under the Securities Act and the Securities Exchange Act. Information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision or if it would have "significantly altered the total mix of information made available."
Judgment will be required to make these materiality determinations. Registrants will need to consider quantitative factors, including the impact on their financial condition and the results of their operations. What can be more difficult is the requirement to assess qualitative factors, which can include the following:
- Reputational Harm: Potential damage to the company's reputation.
- Customer and Vendor Relationships: Possible negative effects on relationships with key stakeholders.
- Competitiveness: Any impact on the company's competitive position.
- Regulatory and Legal Risks: The likelihood of litigation or regulatory investigations and actions, including those by state, federal, and non-U.S. authorities.
- Other: Data theft, asset loss, intellectual property loss, etc.
When is Materiality Determined?
Form 8-K does not prescribe how long a company should take to determine materiality. However, the instructions indicate it should be made "without unreasonable delay" after the incident is discovered. Once the company has determined that the cyber incident is material, it must be reported under Item 1.05 on Form 8-K within four days.
What is the Process for Determining Materiality?
While not prescribed by Form 8-K, given the short period for reporting, companies should establish a process for determining the materiality of cyber incidents, including identifying those that should be involved in the assessment. The process will be unique to each company, but some steps that will be common include:
- Select the right people to be involved and outline their responsibilities for this process. This team will frequently include the CTO, CIO or similar positions, CFO and finance team, General Counsel, and legal team.
- Confirm the information that needs to be collected to determine materiality.
- Contemporaneously document the assessment for each cyber incident.
Required Disclosures under Item 1.05 of Form 8-K
Item 1.05 of Form 8-K requires the disclosure of material cybersecurity incidents. The key elements of the required disclosure include:
- Material aspects, including the incident's nature, scope, and timing.
- The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
If information is not determined or is unavailable at the time of the required filing, the registrant should include a statement to that effect and file an amendment within four business days of when such information becomes available.
Voluntary Disclosures Under Item 8.01 of Form 8-K
Recognizing the value of transparency, the Division of Corporation Finance has encouraged companies to voluntarily disclose cybersecurity incidents for which they have not yet made a materiality determination or those deemed immaterial under a different item of Form 8-K, such as Item 8.01. This approach is intended to prevent investor confusion by clearly distinguishing between material and immaterial incidents. Key points to consider include:
- Clarity for Investors: Disclosing immaterial incidents under Item 8.01 of Form 8-K helps investors differentiate between material and non-material incidents, aiding in better investment and voting decisions.
- Subsequent Determinations: If an incident initially disclosed under Item 8.01 of Form 8-K is later determined to be material, the company must file an Item 1.05 of Form 8-K within four business days of that determination. The subsequent filing can reference the earlier disclosure but must meet the disclosure requirements of Item 1.05.
As public companies grapple with cybersecurity threats, the SEC's clarified Form 8-K disclosure requirements provide vital transparency and protect investors. By adhering to these guidelines, companies can navigate the fine line between mandatory and voluntary disclosure for the benefit of investors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.