On May 21, 2024, the Securities and Exchange Commission (SEC) issued a statement clarifying its rules regarding the disclosure of material cybersecurity incidents via Form 8-K. This guidance distinguishes between a public company’s required disclosure of material incidents and voluntary disclosure of other incidents, providing recommendations on how to notify investors of each.
Required Disclosure of Material Cybersecurity Incidents
The SEC's Cybersecurity Disclosure Rules—adopted in July 2023 and effective for most public companies since December 2023—mandate that, upon discovering a cybersecurity incident, companies conduct a materiality analysis of the incident and disclose any incident found to be “material” under Item 1.05 of Form 8-K. While the SEC has offered limited guidance on what constitutes a “material” incident—and it will admittedly vary based on each company's unique considerations—the Commission encourages companies to consider factors such as the incident's impact on financial condition, operations, reputation, customer or vendor relationships, competition, and potential for litigation or regulatory actions.
The SEC’s recent guidance reiterates that Item 1.05 is expressly titled “Material Cybersecurity Incidents” and is, by definition, not triggered until the incident is “material” at which point disclosure is required. Its purpose is to ensure that investors receive timely and accurate information about significant cybersecurity incidents which could change their investment or voting decisions.
Voluntary Disclosure of Other Cybersecurity Incidents
Since the SEC Rules became effective in December 2023, over a dozen companies have disclosed cybersecurity incidents via Form 8-K, the vast majority of which have either not yet concluded their materiality analysis or have concluded the analysis and expressly deemed the incident “immaterial”. The SEC's recent guidance recognizes this trend and emphasizes that Item 1.05 is intended and reserved solely for the required disclosure of material incidents and should not be used for the voluntary disclosure of immaterial or as-yet-undetermined cybersecurity incidents.
The SEC states that its clarification should not discourage companies from voluntarily disclosure, as these voluntary disclosures also provide valuable information to investors and the broader marketplace. However, such voluntary disclosures should be made under a different item of Form 8-K, such as Item 8.01, to ensure clear differentiation between material and immaterial incidents.
Relatedly, if a company initially voluntarily discloses under Item 8.01 and later determines the incident to in fact be “material”, the company should file a separate updated Item 1.05 disclosure within four business days, referencing the initial Item 8.01 disclosure and including all Item 1.05 requirements (i.e., incident nature, scope, timing, and reasonably likely material impact).
Our Take on the SEC Rules
In releasing the initial Rules, the SEC has consistently echoed its interest in protecting investors by providing them with transparent, accurate, and timely information. The recent clarification seems to balance these interests against an equal interest in avoiding investor confusion. Reserving Item 1.05 for required disclosures of material incidents (and encouraging voluntary disclosures of all other incidents via Item 8.01) preserves the integrity of Item 1.05 which is meant to communicate high-severity incidents. Keeping them separate enables investors to distinguish between material incidents which could pose high risks to the company’s finances, operations, relationships, and reputation versus immaterial incidents which likely do not. This better equips them to make informed investment and voting decisions.
However, the SEC's need to release the recent clarification also highlights the challenges which companies clearly face in understanding the Commission’s materiality standard, developing a materiality analysis which is appropriate for the company’s unique considerations, and implementing materiality determinations that strike the right balance between regulatory transparency while not unnecessarily alarming investors.
For more information about the SEC Cybersecurity Disclosure Rules, you can view our webinar recording on the topic here. For more hands-on assistance in understanding your company’s specific compliance with the Rules and in developing and implementing a materiality analysis suitable for your company's size, industry, and posture, please feel free to reach out to our team at Baker Botts.