On May 21, 2024, the Director of the Division of Corporation Finance at the U.S. Securities and Exchange Commission (SEC), Erik Gerdig, issued a statement clarifying that Item 1.05 of Form 8-K should only be used to disclose material cybersecurity incidents. When choosing to make a voluntary disclosure of a cybersecurity incident that the company determined was not material or for which it had not yet made a materiality determination, the company should use a different item of Form 8-K, such as Item 8.01.
In today's digital landscape, cybersecurity incidents like ransomware attacks are increasingly common and can significantly impact public companies. To enhance transparency and protect investors, in July 2023, the SEC adopted cybersecurity disclosure rules that require, among other things, that public companies disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Since these rules went into effect in December 2023, there have been a number of 8-Ks disclosing cybersecurity incidents filed under Item 1.05 and only a small minority (approximately 10%) stated that the incident was material.
One factor that may be contributing to the number of 8-Ks disclosing cybersecurity incidents filed under Item 1.05 without stating that the incident is material may be the SEC’s complaint that was filed against SolarWinds Corporation in November 2023. The complaint also named the company’s Chief Information Security Officer as an individual in the action. This aggressive SEC posture may have contributed to companies disclosing incidents that were not material for fear of being subject to enforcement actions related to insufficient disclosure.
According to the statement, "It could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05." Accordingly, ‘this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.”
In adopting this approach, the SEC advised it is not trying to discourage voluntary disclosures of cybersecurity incidents. According to the SEC, these voluntary disclosures under Item 8.01 are valuable and provide transparency, but they should be clearly differentiated from disclosures of material cybersecurity incidents so that investors can give material incidents the appropriate level of attention.
Additionally, the statement reiterated that, in evaluating materiality, companies should consider quantitative and qualitative factors. Companies should consider potential reputational harm, the impact on customer or vendor relationships or the company’s competitiveness, and the possibility of litigation or regulatory investigations. The statement also noted that there may be cybersecurity incidents that are so significant that the company can determine it is a material incident before understanding its impact. In such an instance, the SEC directs that the incident should be filed under Item 1.05 with sufficient information for investors to understand the nature, scope, and timing of the incident and the disclosure should include a statement noting that the company has not yet determined the impact of the incident. The company should amend the Form 8-K once the impact has been determined.