SEC Clarifies Reporting of Material vs. Immaterial Cybersecurity Incidents
The U.S. Securities and Exchange Commission's (SEC) Division of Corporate Finance (Division) published a statement on May 21, 2024, regarding how public companies may disclose cyber incidents they determined to be immaterial. The Division's director said the statement was addressing confusion about reporting immaterial cyber incidents that arose after the SEC issued its Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rule (Cyber Rule) in July 2023. The Cyber Rule, which we discussed in a prior post, requires a public company to disclose a cyber incident that it determines was material in Item 1.05 of Form 8-K. However, since the Cyber Rule was issued, numerous companies have disclosed cyber incidents they have determined to be immaterial in Item 1.05, apparently as a potential hedge against SEC enforcement.
The Division clarified that companies should report only incidents they have determined to be material under Item 1.05 of Form 8-K. If a company wishes to voluntarily disclose an incident for which it has not yet made a materiality determination or otherwise wishes to voluntarily disclose an immaterial incident, it should do so under item 8.01 of Form 8-K, which permits the disclosure of "any events, with respect to which information is not otherwise called for by this Form, that the registrant deems of importance to security holders." The Division issued the statement to "encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents."
The Division's statement also reiterated key guidance from the SEC's adopting release accompanying the Cyber Rule on determining whether a cyber incident is material. The Division stated that when companies assess the materiality of a cyber incident, they must assess all relevant factors and may not limit their assessment to "quantitative" factors such as the incident's impact on the company's "financial condition and results of operation." Companies also must consider "qualitative" factors, such as reputational harm and litigation or regulatory risk, alongside quantitative factors. The Division also stated that some cyber incidents may be so significant that a public company determines them to be material even before it can assess the likely impact. The Division advises that in such cases the company should disclose the incident in Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact, and amend the Form 8-K once information about the impact is available.