SEC Director of Corporation Finance Speaks to Cybersecurity Disclosures

Stinson - Corporate & Securities Law Blog
Contact

Stinson - Corporate & Securities Law Blog

Erik Gerding, Director, Division of Corporation Finance, released a statement on the preferred methods to disclose certain cybersecurity incidents.  Mr. Gerding noted “The cybersecurity rules that the Commission adopted on July 26, 2023 require public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.  If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).  Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident “that is determined by the registrant to be material,” and, in fact, the item is titled “Material Cybersecurity Incidents.”  In addition, in adopting Item 1.05, the Commission stated that “Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.”  Therefore, it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.”

Mr. Gerding also noted “This clarification is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial.  I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies, and this statement is not intended to disincentivize companies from making those disclosures.”

Finally, Mr. Gerding indicates “in determining whether a cybersecurity incident is material, and in assessing the incident’s impact (or reasonably likely impact), companies should assess all relevant factors.  As the Commission noted in the Adopting Release, that assessment should not be limited to the impact on “financial condition and results of operation,” and “companies should consider qualitative factors alongside quantitative factors.”  For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.”  Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.””

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson - Corporate & Securities Law Blog | Attorney Advertising

Written by:

Stinson - Corporate & Securities Law Blog
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Stinson - Corporate & Securities Law Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide