SEC clarifies intent of cybersecurity breach disclosure rules after initial filings

Cybersecurity breach reporting requirements adopted by the SEC last year aren’t intended for voluntary disclosure of “immaterial” incidents, a senior agency official said in a recent statement. 

The rules require public companies to report a “material” cybersecurity incident to the SEC in an Item 1.05 Form 8-K within four days of determining the breach is material. While voluntary Item 1.05 filings aren’t expressly prohibited, they have the potential to confuse investors, Erik Gerding, director of the SEC’s Division of Corporation Finance, said in the statement. 

“[I]f all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa,” he said. 

Gerding’s statement likely reflects the Division of Corporate Finance’s concern about incident disclosures filed under the SEC’s new rules since the agency began enforcing them last December, according to a blog post published by law firm Wiley Rein LLP. 

“Our review of public filings demonstrates some caution on the part of filers, with some companies making filings under Item 1.05 where it is not clear that the incident is material,” the blog post said. “Instead, filers appear motivated to file in an abundance of caution without having made a materiality determination.” 

Under the SEC rules, companies must determine the materiality of an incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.” 

The disclosure must describe the material aspects of the nature, scope and timing of the incident, as well as its “material impact or reasonably likely material impact.” 

If a company chooses to disclose a breach for which it has not yet made a materiality determination or one that was determined to not be material, the Division of Corporation Finance encourages the company to disclose that incident under a different item of Form 8-K, such as Item 8.01, Gerding said. 

“I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies, and this statement is not intended to disincentivize companies from making those disclosures,” he said. “Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents.” 

If a company discloses an immaterial incident under Item 8.01, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination, according to the statement. 

As of Dec. 18, all covered entities other than smaller reporting businesses were required to comply with the new breach disclosure mandates. Smaller reporting companies will be subject to them as of June 5. 

In January, Microsoft disclosed in an Item 1.05 Form 8-K filing that a “nation-state associated threat actor” had gained access to and exfiltrated information from a “very small percentage” of employee email accounts including members of the company’s senior leadership team and employees in its cybersecurity, legal, and other functions. 

“As of the date of this filing, the incident has not had a material impact on the Company’s operations,” the Redmond, Washington-based tech giant said in the disclosure. “The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” 

HP Enterprise and Prudential Financial are among companies that have used similar language in breach disclosures filed with the SEC under the new cybersecurity rules.