Yesterday, Corp Fin Director Erik Gerding issued a statement designed to clarify the use of Form 8-K Item 1.05 versus Form 8-K Item 8.01 when reporting cybersecurity incidents. Sounds like some of us might be doing it incorrectly—or at least sub-optimally—potentially resulting in investor confusion. Gerding’s statement is designed to set us straight. He also offers a little guidance about making materiality determinations regarding cybersecurity incidents.
In 2023, the SEC adopted new rules on cybersecurity disclosure. (See this PubCo post.) Under the final rules, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” But Gerding’s statement highlights that Item 1.05 is intended to be used to report a cybersecurity incident “that is determined by the registrant to be material.” Moreover, in adopting Item 1.05, the SEC made clear that “Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.”
Companies certainly can make voluntary filings, he suggests, but there’s a place for that. If a company “chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material,” then Corp Fin “encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).” Although Gerding recognizes that the text of Item 1.05 does not expressly prohibit voluntary filings, he professes that it “could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.” Gerding emphasizes that this “clarification is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial…. Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents.”
Drawing distinctions between the two types of filings will allow investors to more easily distinguish between material and immaterial events and help them “make better investment and voting decisions with respect to material cybersecurity incidents. By contrast, if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.”
Of course, filing under Item 8.01 could mean that the company is ultimately required to file a second Form 8-K. Where a company discloses an immaterial incident (or not-yet-material incident) under Item 8.01 of Form 8-K, and then determines that it is material, the company will need to file an Item 1.05 Form 8-K within four business days of the materiality determination. (Gerding notes that a company that makes a voluntary disclosure under Item 8.01 “is still subsequently required, under Item 1.05 of Form 8-K, to determine, without unreasonable delay, whether the incident was material.”) Gerding advises that the Item 1.05 Form 8-K “may refer to the earlier Item 8.01 Form 8-K, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05.”
In determining materiality and assessing the impact of the incident, Gerding recommends that, companies should assess all relevant factors, not just “financial condition and results of operations.” Rather, he advises, a company “should consider qualitative factors alongside quantitative factors,” such as whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness” and “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”
Gerding also takes up the situation where a company determines that a significant cybersecurity incident is material even before it has assessed the reasonably likely impact. Gerding advises that, in that case, the company should include in its Item 1.05 Form 8-K “a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.”