Erik Gerding, Director, SEC Division of Corporation Finance, issued a statement to clear up misconceptions following filing of an 8-K disclosing a cybersecurity incident.
According to Mr. Gerding, some companies are under the impression that if they experience a material cybersecurity incident, the SEC’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident. Mr. Gerding added “That is not the case.”
According to the statement, nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.
Mr. Gerding also addressed selective disclosure questions under Regulation FD. As is well-known, Regulation FD requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, as specified in the regulation. Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD.
“Nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents” according to Mr. Gerding. There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD:
- For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.
- Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply.
- For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant) or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.