The U.S. Securities and Exchange Commission (SEC) has issued new guidance aimed at clearing up confusion around how public companies should disclose cybersecurity incidents under the agency's recently adopted disclosure rules.
In a May 21, 2024, announcement from Erik Gerding, Director of the SEC's Division of Corporation Finance, the agency clarified that only cybersecurity incidents determined by a company to be material should be disclosed via an 8-K filing under the new Item 1.05.
The SEC's new cybersecurity disclosure requirements, which went into effect last year, mandated that public companies must promptly report material cybersecurity incidents within four business days on Form 8-K. However, some companies have been filing all cyber incidents, whether deemed material or not, under Item 1.05.
Gerding stated this practice could lead to "investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents." He encouraged companies to instead disclose non-material incidents or those where materiality hasn't been determined under the more general Item 8.01 of Form 8-K.
"Given the prevalence of cybersecurity incidents, this distinction... will allow investors to more easily distinguish between [material and non-material] and make better investment and voting decisions," Gerding explained.
The announcement provides a few key clarifications:
- If a company initially reports an incident as non-material under Item 8.01 but later determines it is material, they must file a new 8-K under Item 1.05 within four business days.
- Companies should consider qualitative factors beyond just financial impacts when assessing an incident's materiality, such as reputational harm, litigation risks, and regulatory scrutiny.
- In cases where the impacts can't yet be determined, companies can initially disclose the incident's nature and scope under Item 1.05 and provide updates later via an amended filing.
The guidance is intended to enhance transparency for investors while avoiding excessive noise from immaterial cyber events being inadvertently disclosed as material incidents.
"The SEC's intent in their latest cybersecurity incident disclosure rules—to enhance transparency for investors—is good. And the recent clarifications—focusing on material cybersecurity incidents—is a step in the right direction," said Glenn Kapetansky, CSO, Trexin Group. "In the short term, however, the definition of 'material'—which depends on sector and even timing—is murky enough that CISOs are still uncertain what is material and what is not. Hopefully, this is a temporary and short phase!"
As cyberattacks and data breaches continue plaguing businesses, the SEC has made cybersecurity disclosure an area of increased focus. Clear disclosure of material cyber threats is seen as essential for investors evaluating risk exposures of public companies.
While the clarifications provide more nuance, the agency maintains that timely and accurate reporting of truly material cyber incidents remains an obligation for public companies under the new disclosure regime. Proper classification of each event's severity is now paramount.
"I’m glad the SEC is adding additional guidance around disclosure of cybersecurity incidents," said David Lingenfelter, CISO, Penn Entertainment. "Ongoing discussions and clarity will help companies better understand how to handle different situations. Clear definitions of material or non-material events, as well as separating how they get filed, will go a long way to helping companies comply with the requirements."
Gerding offered a statement in December 2023 on cybersecurity disclosure, including:
"In July of this year, the Commission adopted final rules that will require public companies to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance."
Explaining the overview of the rule and its rationale, Gerding wrote: "The Commission and its staff have been addressing cybersecurity risk disclosures for many years. In 2011, the staff—and in 2018, the Commission itself—issued guidance on how existing disclosure rules apply to cybersecurity risks and incidents. Although public companies' disclosures of material cybersecurity incidents and cybersecurity risk management and governance improved since that guidance was issued, disclosure practices have remained inconsistent. Thus, the Commission determined that new rules would provide investors with the more timely, consistent, comparable, and decision-useful information they need to make informed investment and voting decisions."
Further explaining the Cybersecurity Incident Disclosure Provision, he added, "To understand the cybersecurity incident disclosure requirement, it is helpful to ask and answer three questions: what must be disclosed, when must that information be disclosed, and why did the Commission use a materiality standard." See the December 2023 statement for more details on each of the three questions that need to be answered.
