Yesterday, Corp Fin Director Erik Gerding issued a new statement, Selective Disclosure of Information Regarding Cybersecurity Incidents. As you know, last year the SEC adopted new rules regarding cybersecurity disclosure, including requirements for both material incident reporting on Item 1.05 of Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. (See this PubCo post.) Gerding’s new statement is designed to disabuse companies of the idea that the new rules preclude them from discussing information about a material cybersecurity incident with others, including their commercial counterparties, beyond the information included in the Form 8-K. Gerding assures us that “[t]hat is not the case.” But while the new rules may not prohibit disclosure, what about Reg FD?
According to Gerding, “[n]othing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K. Those parties may include commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor.” Gerding acknowledges that disclosure may be helpful with “remediation, mitigation, or risk avoidance efforts.” Indeed, as he notes, the rules actually encourage appropriate information sharing in certain circumstances.
But what about Reg FD? While there be nothing in Form 8-K that prohibits further disclosure, it appears that some of these questions spring from concerns about potential violation of Reg FD. Gerding advises that there “are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.” The types of persons covered would include brokers or dealers, investment advisers, investment companies, and security holders, he notes. Or an exclusion may apply: “For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant) or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.”
Gerding concludes by reiterating that, while he understands some companies’ reticence to privately share the information, SEC rules “generally do not prohibit the sharing of such information.” Reg FD has been around for 20 years, and public companies should be familiar with “navigating those rules….[I]f the scope and requirements of those rules are heeded, they should not pose an undue impediment to the mutually beneficial sharing of information regarding material cybersecurity incidents.”