Material cybersecurity incidents to be reported on Form 8-K
Under new Item 1.05 of Form 8-K registrants must disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.
This information includes:
- A description of the material aspects of the nature, scope, and timing of the incident.
- The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
A registrant may delay providing the disclosures for an initial period of 30 days at the determination of the US Attorney General, if it is determined that the disclosures pose a substantial risk to national security or public safety. Additional requests for delay may be acceptable in certain circumstances.
Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.
In the May 2024 statement, SEC Corp Fin Director Erik Gerding emphasized a registrant should not disclose under Item 1.05 of Form 8-K a cybersecurity incident that is not yet determined to be material or is determined to be immaterial. Instead, a registrant may voluntarily disclose those incidents under a different item of Form 8-K, such as Item 8.01. In cases where a registrant initially discloses an immaterial incident or one for which materiality has not been determined under Item 8.01 of Form 8-K, but subsequently determines it to be material, the registrant should file an Item 1.05 Form 8-K within four business days of the subsequent materiality determination.
When a cybersecurity incident is so significant that a registrant determines the incident to be material, even though the registrant has not yet determined its impact (or reasonably likely impact), the registrant should disclose the incident in an Item 1.05 Form 8-K. In that case, the registrant includes a statement that it has not yet determined the impact (or reasonably likely impact) of the incident and amends the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing should provide investors with necessary information about the nature, scope, and timing of the incident, even if the impact (or reasonably likely impact) is not yet determined.
The statement also emphasizes the importance of considering qualitative factors when assessing the impact of a cybersecurity incident. Registrants should not limit their materiality assessment to the impact on financial condition and results of operations but should also consider factors such as harm to reputation, customer or vendor relationships, competitiveness, and the possibility of litigation or regulatory investigations.
Overall, the Director’s statement aims to provide clarity and guidance to registrants on the disclosure requirements for cybersecurity incidents. It is not intended to discourage registrants from voluntarily disclosing cybersecurity incidents for which they have not yet determined materiality or incidents they consider immaterial. Such voluntary disclosures are recognized as valuable to investors, the marketplace, and registrants. However, registrants are encouraged to make these voluntary disclosures in a manner that does not confuse investors or dilute the value of disclosures regarding material cybersecurity incidents.