Skip to main content
Page header background image

Legal Updates

SEC Issues Update on Cybersecurity Incident Report

Privacy & Cybersecurity Update

On May 21, Erik Gerding, Director of the SEC’s Division of Corporation Finance, released an announcement, “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents” (“Cyber Disclosure Announcement”), which primarily focuses on how organizations can disclose cybersecurity incidents that have not been identified as “material” and emphasizes the relevant factors that should be considered when making materiality determinations.

SEC Cybersecurity Rule

The SEC Cybersecurity Rule requires, among other things, public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. A “cybersecurity incident” is defined under the rule as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a [company’s] information systems that jeopardizes the confidentiality, integrity or availability of a [company’s] information systems or any information residing therein.” Accordingly, the SEC adopted a very broad definition that may be implicated by a wide range of cybersecurity attacks, from network intrusion, data exfiltration, and extortion incidents to ransomware events that prevent access to and use of key infrastructure or data. Importantly, cybersecurity incidents on a third-party system may trigger the required Form 8-K disclosure.

The Form 8-K must include a description of (i) the material aspects of the nature, scope, and timing of the incident and (ii) the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. However, a company is not required to disclose specific or technical information about its planned incident response or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede its response to or remediation of the incident.

The Form 8-K is generally due within four business days of determining that a cybersecurity incident is material. Following discovery of an incident, a company is required to determine whether such incident is material “without unreasonable delay.”

According to the SEC Cybersecurity Rule, a company should consider both qualitative and quantitative factors in assessing whether an incident’s impact is material, as a “lack of quantifiable harm does not necessarily mean an incident is not material.” For example, harm to a company’s reputation, customer or vendor relationships, or competitiveness, or the possibility of litigation or regulatory investigations or actions may constitute material or reasonably likely material impacts.

Cyber Disclosure Announcement

The Cyber Disclosure Announcement focuses on how organizations can disclose immaterial cybersecurity incidents and the relevant factors companies should consider when making materiality determinations.

Material/Immaterial Disclosures

According to the Cyber Disclosure Announcement, if a company elects “to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material,” it is “encourage[d]” to make that disclosure under a different item on Form 8-K, not Item 1.05. Although Item 1.05 does not prohibit voluntary filings of immaterial cybersecurity incidents, it was added to Form 8-K to allow companies to disclose cybersecurity incidents that have been identified as material. Therefore, according to the Cyber Disclosure Announcement, “it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.”

Director Gerding states that the Cyber Disclosure Announcement is not meant “to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial,” but rather it “is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents.” According to the Cyber Disclosure Announcement, “if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.”

If a company discloses an immaterial cybersecurity incident under Item 8.01 of Form 8-K that subsequently becomes a material cybersecurity incident, it should file an Item 1.05 Form 8-K within four business days of its materiality determination. In such circumstances, the Form 8-K may refer to the earlier Item 8.01 Form 8-K, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05.

Materiality Factors

One of the compliance challenges of the SEC Cybersecurity Rule is determining whether an incident is material. According to the Cyber Disclosure Announcement, “in determining whether a cybersecurity incident is material, and in assessing the incident’s impact (or reasonably likely impact), companies should assess all relevant factors,” and this assessment is not limited to the impact a cyber event has on a company’s financial condition and operations. Rather, the Cyber Disclosure Announcement restates the SEC’s guidance that “companies should consider qualitative factors alongside quantitative factors,” such as whether the cybersecurity incident will “harm … [its] reputation, customer or vendor relationships, or competitiveness.” This assessment should also account for potential litigation or regulatory actions arising from the incident.

There also may be circumstances in which a cybersecurity event “is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact),” and in these cases, it “should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.” The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.

No Force of Law

The Cyber Disclosure Announcement is provided by Director Gerding in his “official capacity” but it “does not necessarily reflect the views” of the SEC, other SEC Commissioners, or other members of the staff. Further, the Cyber Disclosure Announcement is not a formal legal rule or regulation, or even an SEC statement. The SEC “has neither approved nor disapproved its content” and for the avoidance of doubt, it “has no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person.” Although the Cyber Disclosure Announcement does not have the force of law, it is an important reminder for organizations to ensure their cyber incident response plans include comprehensive processes to identify whether a cybersecurity event triggers regulatory disclosure obligations.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

© 2024 THOMPSON HINE LLP. ALL RIGHTS RESERVED.

Services