SEC Clarifies Material Cybersecurity Incident Disclosure Requirements  

The SEC Division of Corporation Finance (the "Division") issued new FAQs relating to material cybersecurity incident disclosure requirements for Form 8-K filings.

Under Item 1.05 ("Material Cybersecurity Incidents") of Form 8-K, a registrant is required to report a material incident "within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available." The SEC, in the adopting release for this rule, said the registrant should determine "if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available."

The SEC FAQs clarified the following:

• Question 104B.05. Notwithstanding the fact that the incident may have been resolved (such as after making a ransomware payment, and the threat actor ends the disruption of operations or returns the data), a registrant is required to make a materiality determination.

• Question 104B.06. If the registrant did not report the incident it determined to be material before it made the ransomware payment, and the threat actor ended the disruption of operations or returned the data, a registrant still needs to disclose the incident.

• Question 104B.07. If the registrant was reimbursed of the ransomware payment under its insurance policy, the registrant must still assess the materiality of a cybersecurity incident. The SEC said this may "include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents."

• Question 104B.08. The size of the ransomware payment is not determinative as to whether the cybersecurity incident is material. The SEC said a ransomware payment "is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05."

• Question 104B.09. If a registrant experienced a series of cybersecurity incidents and the registrant determined that each incident, individually, was immaterial, disclosure may still be required. The SEC said "the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material."

Statement of Corporate Finance Director

In a separate statement, Director of the SEC Division of Corporation Finance Erik Gerding elaborated on the Item 1.05 requirement to disclose material cybersecurity incidents.

Director Gerding pushed back against assertions that the SEC's rules or policies prohibited issuers from "sharing information about a material cybersecurity incident with others, including their commercial counterparties." Mr. Gerding stated, "Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.". He said that sharing this information with other parties could assist with remediation, mitigation, or risk avoidance efforts and facilitate parties' compliance with their own disclosure and reporting obligations.

Mr. Gerding responded to the concern that privately disclosing additional information about a material cybersecurity incident might implicate selective disclosure rules under Regulation FD ("Fair Disclosure"). Mr. Gerding clarified that, "nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents." He noted examples in which (i) shared information might be immaterial and not affect investors' decisions; (ii) people receiving the information might not be the types of people covered by Regulation FD or (iii) information may be significant and shared with covered types, but that exceptions might apply. Mr. Gerding explained that recipients are bound by confidentiality agreements or have a duty to keep the information confidential (like lawyers or accountants). He reiterated that the rules "should not pose an undue impediment to the mutually beneficial sharing of information regarding material cybersecurity incidents."