On May 21, 2024, Erik Gerding, the Director of the Division of Corporation Finance at the U.S. Securities and Exchange Commission (SEC), released a statement (statement) on the disclosure of cybersecurity incidents. This statement relates to disclosures made under new Item 1.05 of Form 8-K, which was adopted by the SEC in July 2023,^[1] and requires companies to disclose information relating to material cybersecurity incidents within four business days of determining that the incident is material. For more information on the cybersecurity rules, please see our previous Client Alert.

The statement reiterates that the Form 8-K Item 1.05 is triggered by a company’s determination that a cybersecurity incident is material, noting the item is itself titled “Material Cybersecurity Incidents” [emphasis added].  It also notes that a cybersecurity incident for which a company has not yet made a materiality determination or has determined was not material does not trigger a reporting obligation under Item 1.05. The statement further clarifies that using Item 1.05 for an incident for which a company has not yet made a materiality determination or has determined was not material may dilute the importance of the disclosure for investors or cause confusion as to whether an incident is material.  Acknowledging, however, that voluntary disclosure of these incidents may provide valuable information for investors, the statement encourages companies choosing to report such an incident voluntarily to do so under another item of Form 8-K, such as Item 8.01. If the company later determines the incident to be material, then the company would need to file an Item 1.05 Form 8-K within four business days of the materiality determination to provide the required disclosure.  In doing so, the company should make sure to satisfy the Item 1.05 requirements in the filing, and the company may refer to any previously filed Form 8-K. 

The importance of the foregoing distinction with respect to disclosure of cybersecurity incidents is summarized in the statement as follows: “this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.”

The statement serves as an important clarification given the trajectory of the initial Form 8-K filings for cybersecurity incidents. Based on our internal tracking data from December 18, 2023^[2], through May 21, 2024, of the 24 companies that have filed a Form 8-K to report a cybersecurity incident, 17 filed under Item 1.05, with only two reporting that the incident was material. Of the remaining companies, five filed under Item 8.01 and two filed under Item 7.01. This distribution is likely to change markedly as a result of the statement.

As to the determination of materiality and assessing an incident’s impact (or reasonably likely impact), the statement reiterated that companies should assess all relevant factors, including not only quantitative factors such as the incident’s effect on a company’s financial condition or results of operation, but also qualitative factors such as harm to a company’s reputation, supplier or customer relationships or competitiveness.

Finally, the statement notes that some cybersecurity incidents may be so significant that a company determines it to be material even though the company has not yet determined the impact (or reasonably likely impact) of the cybersecurity incident. Under those circumstances, a company should file an Item 1.05 Form 8-K to disclose the material cybersecurity incident even though it has not fully assessed or determined the impact. In such a case, the company should include a statement that it has not yet determined the impact (or reasonably likely impact) and include sufficient information for investors to understand the material aspects of the nature, scope, and timing of the incident.  Once further information about the impact is available, the company should amend the Form 8-K to disclose this information.

^[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) (cybersecurity rules).

^[2] This is the date that public companies (other than smaller reporting companies) were required to comply with the new Item 1.05 disclosure requirements. Smaller reporting companies will be required to comply on June 15, 2024.