As detailed in our client alert, the SEC adopted cybersecurity disclosure rules on July 26, 2023 that require disclosure of material cybersecurity incidents under new Item 1.05 of Form 8-K. If a company determines that a cybersecurity incident is material, it is required to disclose the incident within four (4) business days of such determination. In addition, such determination is required to be made “without unreasonable delay after discovery of the incident." Item 1.05 states companies must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the company, including on its financial condition and results of operations. If any of the required information is not determinable or unavailable at the time of the initial filing, companies must provide updated disclosure in a Form 8-K amendment.
Companies have often encountered challenges in reaching a materiality determination with respect to cybersecurity incidents due to the often tedious process of evaluating the nature and scope of an incident, the extent of unknown information, and the difficulty of assessing future consequences, particularly in the context of an evolving situation. Since the new rules went into effect, companies now must conduct an on-going reassessment of whether the incident has crossed the tipping point to become, in some aspect, material to investors, based on the known state of information and assessment of potential impacts. As such, companies facing potential scrutiny for not making timely disclosure have opted to voluntarily disclose cybersecurity incidents before reaching a definitive materiality determination, with many disclosing under Item 1.05 and others under Item 8.01 or 7.01. In fact, as of May 22, 2024, 17 companies have disclosed cybersecurity incidents under Item 1.05 over the course of 26 filings (inclusive of 8-K amendments) whereas 7 companies reported cybersecurity incidents under Item 7.01 or 8.01. Of those 17 companies reporting events under Item 1.05, with some companies disclosing material operational impact while the incident was ongoing or material impact on financial quarterly results, most of these companies disclosed no material impact on their operations and also generally disclosed (either as part of original filing or by amendment) that the cyber incidents have not had, or were not expected to have, a material impact on such companies' overall financial condition or results of operations (or that companies have not yet made a materiality determination).
On May 21, 2024, Division of Corporation Finance Director Erik Gerding released a statement setting forth his views on the emerging practice of voluntarily disclosing cybersecurity incidents under Item 1.05 instead of another item (e.g., Item 8.01 of Form 8-K). In the statement, Director Gerding expresses concern that it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05. Accordingly, if a company discloses a cybersecurity incident for which it has not yet made a materiality determination, or which the company has determined was not material, the Division encourages the company to disclose that incident under Item 8.01. Director Gerding notes that, because Item 1.05 was specifically created to require the disclosure of a cybersecurity incident “that is determined by the registrant to be material" and that the Item is thus “by definition material because it is not triggered until the company determines the materiality of an incident."
Director Gerding stressed that this clarification on the placement of disclosures is not intended to discourage voluntary disclosures of cybersecurity incidents, which can be valuable to investors, the marketplace, and companies. Additionally, he reminded companies and their advisors that if a company makes an early voluntary disclosure under Item 8.01 of Form 8-K, and then subsequently determines the incident is material, it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination. That Item 1.05 can refer to the earlier Item 8.01 8-K disclosures, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05.
Finally, Director Gerding emphasized that companies should consider “all relevant factors" in making a materiality determination, including qualitative factors such as the harm to a company's “reputation, customer or vendor relationships, or competitiveness," and “the possibility of litigation or regulatory investigations or actions."
We will continue to monitor 8-K filings reporting cybersecurity incidents, and we expect company disclosures under Items 1.05 and Item 8.01 will continue to evolve in light of the Staff's recent guidance and other relevant considerations.
Thanks to Stella Kwak, Of Counsel in our NY office, for her assistance in preparing this post.