Erik Gerding, Director, Division of Corporation Finance, released a statement on the preferred methods to disclose certain cybersecurity incidents. Mr. Gerding noted “The cybersecurity rules that the Commission adopted on July 26, 2023 require public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01). Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident “that is determined by the registrant to be material,” and, in fact, the item is titled “Material Cybersecurity Incidents.” In addition, in adopting Item 1.05, the Commission stated that “Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.” Therefore, it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.”
Mr. Gerding also noted “This clarification is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial. I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies, and this statement is not intended to disincentivize companies from making those disclosures.”
Finally, Mr. Gerding indicates “in determining whether a cybersecurity incident is material, and in assessing the incident’s impact (or reasonably likely impact), companies should assess all relevant factors. As the Commission noted in the Adopting Release, that assessment should not be limited to the impact on “financial condition and results of operation,” and “companies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.””