In an era of pervasive cybersecurity threats, the U.S. Securities and Exchange Commission (SEC) has taken significant steps to enhance transparency and protect investors.
On May 21, 2024, the Director of the Division of Corporation Finance released a statement titled “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.” This announcement clarifies the distinction between mandatory disclosure and voluntary disclosure for public companies under Form 8-K, specifically focusing on Items 1.05 and 8.01.
The guidance underscores the importance of clear communication regarding material cybersecurity risks, aiding investors in making informed decisions without deterring voluntary reporting. As cybersecurity incidents become more sophisticated, companies must navigate these updated disclosure requirements to ensure compliance and maintain investor trust.
Understanding the Requirements
Cybersecurity disclosure rules enacted by the SEC on July 26, 2023, require public companies to report certain cybersecurity incidents on Form 8-K, specifically under Item 1.05. This Item is designed for material cybersecurity events. Companies are required to file Form 8-K within four business days of determining that the cybersecurity incident is material.
What is a Cybersecurity Incident?
For the purposes of reporting on Form 8-K, a Cybersecurity Incident is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information system that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing there.
The definition is intended to be broad, and the requirement to file an 8-K may be triggered even if the material impact is caused by a series of individually immaterial-related cyber incidents.
How is Materiality Determined?
The SEC did not establish a special materiality definition for a cybersecurity incident. Instead, they relied on the definition of materiality established in several cases the Supreme Court addressed and articulated in rules under the Securities Act and the Securities Exchange Act. Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if it would have “significantly altered the total mix of information made available.”
When is Materiality Determined?
Form 8-K does not prescribe how long a company should take to determine materiality. However, the instructions indicate it should be made “without unreasonable delay” after the incident is discovered. Once the company has determined that the cyber incident is material, it must be reported under Item 1.05 on Form 8-K within four days.
What is the Process for Determining Materiality?
While not prescribed by Form 8-K, given the short period for reporting, companies should establish a process for determining the materiality of cyber incidents, including identifying those that should be involved in the assessment. The process will be unique to each company, but some steps that will be common include:
Required Disclosures under Item 1.05 of Form 8-K
Item 1.05 of Form 8-K requires the disclosure of material cybersecurity incidents. The key elements of the required disclosure include:
As public companies grapple with cybersecurity threats, the SEC’s clarified Form 8-K disclosure requirements provide vital transparency and protect investors. By adhering to these guidelines, companies can navigate the fine line between mandatory and voluntary disclosure for the benefit of investors.
Comments
Post a Comment