SEC Clarifies Cybersecurity Incident Disclosure Rules: Key Takeaways for Companies

Jun 26

The Securities and Exchange Commission (SEC) continues to refine its stance on the disclosure of material cybersecurity incidents, addressing corporate concerns and compliance complexities. On June 20, 2024, Erik Gerding, the Director of the SEC’s Division of Corporation Finance, provided further clarification regarding the selective disclosure of cybersecurity incidents. This move comes in response to persistent questions surrounding the SEC’s final cybersecurity disclosure rules, specifically under Item 1.05 of Form 8-K.

Understanding the SEC’s Latest Statement

Gerding’s recent statement primarily tackles the misconceptions about whether companies can discuss cybersecurity incidents beyond what is mandated in the Item 1.05 Form 8-K disclosures. A prevalent concern among companies is the fear that the SEC’s new rules might restrict them from discussing material cybersecurity incidents privately with other stakeholders. Gerding clarified that while companies can engage in such discussions, they must navigate the regulatory landscape, particularly in relation to Regulation FD.

Regulation FD: Core Principles and Implications

Regulation FD (Fair Disclosure) plays a pivotal role in preventing selective disclosure of material nonpublic information to certain market participants and security holders. Specifically, it mandates that companies must publicly disclose material nonpublic information simultaneously if the disclosure is intentional or promptly if it is unintentional. However, there are exemptions for communications with individuals who have a duty of trust or confidence to the company or those who have agreed to keep the information confidential, such as through nondisclosure agreements (NDAs).

Gerding’s statement reinforces that Item 1.05 does not modify the application of Regulation FD to cybersecurity disclosures. It delineates scenarios under which companies can share information about a cybersecurity incident without triggering public disclosure requirements under Regulation FD:

Immaterial Information: Sharing details that are not considered material.
Non-Covered Persons: Communicating with individuals or entities that do not fall under the Covered Persons category.
Duty of Trust or Confidence: Engaging with parties who have an inherent duty to maintain confidentiality.
Confidential Agreements: Using NDAs to ensure information remains confidential.

Disclosure of Cybersecurity Incidents: Detailed Guidance

In his earlier statement on May 21, 2024, Gerding provided additional guidance on the cybersecurity rules adopted by the SEC on July 26, 2023. These rules require public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. However, if a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination or an incident deemed immaterial, the Division of Corporation Finance encourages disclosure under a different item of Form 8-K, such as Item 8.01.

Gerding emphasized the importance of distinguishing between material and immaterial incidents to avoid investor confusion. Disclosures of immaterial incidents under Item 8.01 should be revisited if the incident is later determined to be material, necessitating a subsequent Item 1.05 Form 8-K filing within four business days.

Strategic Considerations for Companies

While these guidelines offer a framework for compliance, companies must be vigilant in managing the intricacies of incident disclosures. There are compelling reasons for private discussions about cybersecurity incidents, such as facilitating remediation, mitigation, and compliance efforts. For instance, collaborating with external experts who assist in managing the fallout of a cyber incident or sharing information with partners to help them meet their disclosure obligations can be critical.

Expert Commentary

John A. Wheeler from Wheelhouse Advisors comments on the SEC’s guidance:

“The SEC’s recent clarification is a crucial development for corporate risk management strategies. Companies must balance transparency with the need to protect sensitive information. The guidance on Regulation FD provides a clear path for businesses to communicate effectively without breaching regulatory requirements. At Wheelhouse Advisors, we emphasize the importance of robust internal controls and clear communication channels to navigate these regulatory landscapes efficiently.”

The SEC’s continued efforts to clarify its cybersecurity disclosure rules are aimed at ensuring that companies can responsibly disclose material incidents while adhering to regulatory requirements. By understanding the nuances of Regulation FD and utilizing the provided guidelines, companies can better manage their disclosure practices, ultimately enhancing their overall cybersecurity posture and regulatory compliance.

For more detailed insights, companies should consult with legal and risk management professionals to tailor their approach to these evolving regulatory expectations.

References:

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896 (Aug. 4, 2023)]
Wilson Sonsini Goodrich & Rosati’s latest commentary on SEC guidance (June 2024)
Erik Gerding, Director, Division of Corporation Finance, “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents,” May 21, 2024

Samantha "Sam" Jones

Samantha “Sam” Jones is a seasoned technology market analyst, specializing in integrated risk management and adept at uncovering market insights through advanced analytical tools. Passionate about sustainable business practices and emerging technologies, she enjoys staying at the forefront of the industry by participating in community tech events and exploring new trends.