Erik Gerding, Director of the SEC Division of Corporation Finance, clarifies guidelines around the disclosure of cybersecurity incidents under the rules adopted by the SEC on July 26, 2023. Public companies are required to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Gerding encourages companies to use Item 8.01 of Form 8-K for disclosing incidents that are either immaterial or pending a materiality determination to avoid investor confusion. Item 1.05 is specifically for material incidents, and using it for all cybersecurity disclosures could lead to misperceptions about the severity of incidents.
Companies are not discouraged from voluntary disclosures of immaterial incidents; such disclosures should simply be made under the appropriate item. If an initially disclosed immaterial incident later becomes material, companies must then file an Item 1.05 Form 8-K within four business days of this determination, ensuring compliance with Item 1.05 requirements.
When assessing materiality, companies should consider both quantitative and qualitative factors, including potential reputational harm, impact on relationships, competitiveness, and the likelihood of litigation or regulatory actions. Even without a determined impact, significant incidents should be disclosed under Item 1.05, with updates provided as further information becomes available. This approach aims to maintain clarity for investors, helping them make informed decisions.
Click here to read the statement.