On May 21, 2024, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement regarding the disclosure of cybersecurity incidents on Form 8-K. In his statement, Director Gerding encourages companies that voluntarily choose to disclose a cybersecurity incident that has not been determined to be material, or for which no materiality determination has yet been made, to make that disclosure using a Form 8-K item other than Item 1.05 (Material Cybersecurity Incidents). For example, companies may voluntarily provide the disclosure under Item 8.01 (Other Events).
In his statement, Director Gerding emphasizes that, in light of the prevalence of cyber incidents, reserving disclosure under Item 1.05 for incidents that are material will help avoid investor confusion or misunderstanding as to the severity of incidents, as well as reduce the risk of dilution of the value of disclosures made under Item 1.05.
Director Gerding also notes that the statement is not intended to discourage companies from voluntarily disclosing cybersecurity incidents and reiterates that the materiality assessment of an incident should look not only at the financial impacts of the incident but also qualitative factors. Director Gerding refers to a number of examples of qualitative considerations that were contained in the Item 1.05 adopting release, such as reputational or competitive harm, customer or vendor relationships, as well as the possibility of litigation or regulatory actions.
Finally, the statement provides helpful clarification for situations where an incident is disclosed voluntarily, for example under Item 8.01, but then later is determined to be material. In that circumstance, companies must file an Item 1.05 8-K within four business days of their materiality determination. While this Item 1.05 8-K may refer to the original Item 8.01 8-K, it must include all of the disclosures required by Item 1.05.
Director Gerding’s statement clarifies the SEC staff’s views on the appropriate use of Item 1.05 of Form 8-K in light of the uncertainty and varied practice that has developed since the Item’s adoption.
