A few days ago, Corp Fin issued three new CDIs relating to delays in reporting material cybersecurity incidents on Form 8-K. Those CDIs, together with the Department of Justice Material Cybersecurity Incident Delay Determinations, addressed questions related to the Attorney General’s determination—or not—that disclosure of the incident on Form 8-K would pose a substantial risk to national security or public safety. (See this PubCo post.) Yesterday afternoon, Corp Fin added a new CDI on a closely related topic—the impact of a DOJ consultation on a determination, for reporting purposes, about the materiality of the incident itself. As Corp Fin Director Erik Gerding observed in a speech yesterday on cybersecurity disclosure, the CDI was intended to ensure that companies are not deterred from consulting with the DOJ or other national security agencies. The new CDI can be found under the caption Exchange Act Forms, in Section 104B, Item 1.05 Material Cybersecurity Incidents. A summary is below, but the CDI number is linked to the CDI on the SEC website, so you can easily read the version in full.
As you know, in July, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure, which includes a requirement for material incident reporting on Forms 8-K and 6-K. (See this PubCo post.) Compliance with the 8-K and 6-K incident disclosure requirements will be required for all companies other than smaller reporting companies beginning on December 18, 2023. That’s this Monday. Under the final rule, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
The “materiality” determination regarding a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. The release advises that the concept of “materiality” in this context is consistent with caselaw in other securities contexts: “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’” Companies, the SEC advises, should assess the materiality of cybersecurity incidents (as well as risks and related issues) “through the lens of the reasonable investor. Their evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors.” For example, a company assessing a data breach it has experienced should “consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” The SEC explains that, because the analysis is fact-driven, “the same incident that affects multiple registrants may not become reportable at the same time, and it may be reportable for some registrants but not others.” In addition, the release confirms that “a decision to share information with other companies or government actors does not in itself necessarily constitute a determination of materiality.” The SEC also emphasizes “that ‘[d]oubts as to the critical nature’ of the relevant information ‘will be commonplace’ and should ‘be resolved in favor of those the statute is designed to protect,’ namely investors.”
Item 1.05 Material Cybersecurity Incidents
- New Question 104B.04 Merely consulting with the DOJ regarding the availability of a delay under Form 8-K Item 1.05(c) would not necessarily result in a determination that the incident itself is material and therefore reportable under the requirements of Item 1.05(a). Rather, the determination of whether an incident is material “is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.” In addition, there’s nothing in the requirements of Item 1.05 that would preclude a company from “consulting with the DOJ, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed.”
In his speech yesterday, Corp Fin Director Erik Gerding observed that a “public company may alert similarly situated companies as well as government actors at any point in its incident response, including immediately after discovering an incident and before determining materiality, so long as it does not unreasonably delay its internal processes for determining materiality.” Specifically commenting on this CDI, he observed:
“I hope this [the CDI] underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.
“Consultations with national security and law enforcement agencies may, of course, help companies to better understand the impact or severity of a particular incident and thus to assess whether the incident is material. But ultimately it is the company’s responsibility to make a materiality determination based on a consideration of all relevant facts and circumstances. In this regard, it’s worth bearing in mind that the analyses of cybersecurity incidents by these other agencies may take into account factors other than a focus on a reasonable investor. This is consistent with the CDI above. And, as I noted previously, the Commission did not establish a fixed timeline for making a materiality determination, and a company’s consultation with any national security or law enforcement does not change this and start the clock on a fixed timeline with respect to a cybersecurity incident. Again, instead of a fixed timeline, the Commission included Instruction 1 to Item 1.05, which states that ‘t[a] registrant’s materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident.’”
In his conclusion, he noted the importance of the first year of a rule for Corp Fin’s Disclosure Review Program. But he emphasized that he wanted “to reassure companies and their representatives that our Division does not seek to make ‘gotcha’ comments or penalize foot faults. To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs. This is a similar message to one I and others at the Division have given with respect to other disclosure rules that have recently gone into effect, such as the Pay versus Performance rules.” He recognized “the value of creating incentives for good faith efforts to comply with new rules,” and hoped that this message and Corp Fin’s “track record with respect to those other rules provides reassurance to companies and their advisers, particularly in the first year of effectiveness for this rule.”