On May 21, 2024, the director of the SEC’s Division of Corporation Finance, Erik Gerding, issued a statement regarding the new requirement to disclose material cybersecurity incidents on Form 8-K. The SEC’s latest cybersecurity disclosure rules (discussed here) took effect for most companies on Dec. 18, 2023, and require public companies to disclose incidents that are “determined by the registrant to be material” under Item 1.05 of Form 8-K. In fact, Item 1.05 is titled “Material Cybersecurity Incidents” and the adopting release states Item 1.05 “is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.” Under Item 1.05, a materiality determination must be made by the company “without undue delay” and must be based on whether there is a substantial likelihood that a reasonable investor would consider the information important or whether it would have significantly altered the total mix of information available. Once a public company deems an incident “material,” it must report the incident within four business days.
Since the new rules took effect approximately five months ago, many companies have chosen to voluntarily report cybersecurity incidents under Item 1.05 out of an abundance of caution, even where the company had not yet made a materiality determination or had determined the incident to be immaterial. While Gerding’s statement recognizes the value of such voluntary disclosures, and the text of Item 1.05 does not expressly prohibit voluntary disclosures, the statement expressed concerns that reporting immaterial cybersecurity incidents under Item 1.05 may lead to investor confusion or dilute the value of Item 1.05.
Given the prevalence of both material and immaterial cybersecurity threats, which public companies face every day, Gerding encouraged companies to use Item 8.01 (Other Events) to voluntarily report cybersecurity incidents that have not been deemed material. This distinction “will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.… [I]f all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.”
Companies should carefully consider which item of Form 8-K to use when disclosing cybersecurity incidents. If the company has not yet made a materiality determination but chooses to voluntarily disclose a cybersecurity incident, it should do so under Item 8.01. If, however, the company learns additional information or later determines that the same incident is material, it should file another Form 8-K within four business days of that determination and report the incident under Item 1.05. Finally, for any material incidents, regardless of whether they were first reported under Item 1.05 or Item 8.01, the company should ensure that it discloses the impact of the incident in a manner that satisfies all the requirements of Item 1.05. This means companies may sometimes file an amendment on Form 8-K/A as they learn new details about a material incident after the four business day deadline.
We will continue to follow these and other legal developments related to cybersecurity measures and reporting. Please reach out to Kramer Levin’s Public Companies group or Privacy, Cybersecurity and Data Innovation group for more information.