SEC cybersecurity incident disclosure rules

On July 26, 2023, the SEC adopted new rules governing public company disclosures related to cybersecurity risk management, strategy, governance, and reporting. The new rules imposed a number of requirements on public companies to disclose the occurrence of a material cybersecurity incident starting on Dec. 18, 2023 (the compliance date). Within four business days after determining a cybersecurity incident is material, public companies must disclose the incident under Item 1.05 of Form 8-K. The disclosure should include the material aspects of the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the company, including on its financial condition or results of operation. While there is no specific date as to when materiality must be determined, the materiality determination must be made by the company without reasonable delay.

Cybersecurity disclosure statistics

A handful of companies disclosed cybersecurity incidents after the adoption of the cybersecurity rules were announced and prior to the rules' compliance date. Between July 26, 2023, and Dec. 18, 2023, approximately 20 companies disclosed a cybersecurity-related incident in a Form 8-K. Of these 20 companies, 16 disclosed the incident under Item 8.01 (Other Events) and four companies disclosed the incident under Item 7.01 (Regulation FD Disclosure). Additionally, eight of these companies amended their 8-K to include more information and one company disclosed that the cybersecurity incident would have a material effect on its financial results.

Since the rules' compliance date, approximately 45 companies disclosed a cyber-related incident in a Form 8-K. Of these companies, 11 subsequently amended their Form 8-K to include additional information on the incident. Further, although the rules only require disclosure of material cybersecurity incidents, only three of the 45 companies disclosed that the incident had or will have a material impact on the company's business.

SEC Corp. Fin. Director Gerding's Guidance on disclosure

In light of the significant number of companies that disclosed cybersecurity incidents under Item 1.05, even though they were unable to determine that the incident would have a material impact, on May 21, 2024, the Director of the SEC's Division of Corporation Finance, Erik Gerding, issued a statement encouraging companies to make such voluntary cybersecurity disclosures in a different manner that would not dilute Item 1.05 disclosures of material cybersecurity events or otherwise generate investor confusion. The result was a significant drop-off in the percentage of cybersecurity incident disclosures made under Item 1.05 -- of the 25 companies that filed a Form 8-K relating to a cybersecurity incident since Director Gerding's statement: 20 filed their disclosures under Item 8.01, with two companies subsequently amending the Form 8-K to disclose under Item 1.05; 2 filed under Item 7.01; and only 3 companies disclosed a cybersecurity incident under Item 1.05 as its initial disclosure.                                   

Key takeaways and lessons learned

Having just crossed the one-year anniversary of the SEC's cybersecurity disclosure rules' compliance date, a review of the full year of data on how companies are navigating these rules offers lessons public companies should take away to ensure efficient and full compliance when disclosing a cybersecurity incident.

 Determining materiality. Materiality is the bar for requiring disclosure of a cybersecurity incident under Item 1.05. The SEC expects companies to apply the standard materiality assessment used in other risks and events companies face, rather than using a cybersecurity-specific materiality assessment, which would depart from current practice and "would not be consistent with the intent of the final rules." Therefore, a cybersecurity incident is material if there is a substantial likelihood that a reasonable investor would consider it important in making a decision to buy or sell securities. Moreover, companies must consider qualitative as well as quantitative factors when making their materiality determination. Such factors include, but are not limited to the scope of incident, the data affected, hard costs, the company's reputation, past related incidents, governance and internal controls, and the likelihood of litigation or regulatory investigations.

 Providing timely information. Companies must disclose a cybersecurity incident within four days after determining such incident is material, subject to certain exceptions. To the extent the information required by Item 1.05 is still undeterminable or unavailable at the time the filing is due, companies should still ensure prompt disclosure on Form 8-K, either under Item 8.01 or Item 1.05, depending on which is more applicable. If a company discloses the incident under Item 1.05 without having all required information, it must include a statement that the information required by Item 1.05 was not determined or is unavailable at the time of the filing. When the required information does become available, companies should amend their Form 8-Ks with an update within four business days.

 Following disclosed incident response plans. Along with the 8-K Item 1.05 disclosure requirements, the SEC also adopted rules requiring companies to disclose in the Annual Report on Form 10-K the company's risk management, strategy and governance of cybersecurity incidents. And the SEC is critically focused on companies following their cybersecurity incident response plans. If disclosed response plans are not followed, the SEC may bring enforcement actions both to challenge the prior disclosures and to allege insufficient disclosure and accounting controls surrounding an incident. Additionally, given the focus on adhering to incident response plans, companies should consider incorporating some flexibility in those plans, as cybersecurity incidents are unique and there isn't a "one size fits all" response to be followed in every situation.

 Following other applicable disclosure requirements. Companies should be cognizant of the fact that cybersecurity incidents may require disclosures to other regulators or consumers, and any such other public disclosures could lead to SEC scrutiny if the incident is not also disclosed as a material event in an SEC filing.

Amanda Zoda, an associate at Weil, Gotshal & Manges LLP, contributed to this article.