by Scott Kimpel
As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission (“SEC”) reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.
Background on SEC Reporting Rules
Under the SEC’s rules, Item 1.05 of Form 8-K generally requires public companies in the United States to disclose material cybersecurity incidents within four business days of determining that the incident is material. The disclosure must contain the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition and its results of operations. For these purposes, SEC rules define “cybersecurity incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Under the U.S. federal securities laws, information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment or voting decision, or if it would have significantly altered the “total mix” of information made available to investors. For future or uncertain events, materiality is determined by balancing the probability that an event will happen against the potential magnitude of the event in light of the totality of the company activity. There is no bright line test for determining whether particular information is material. The SEC has cautioned that the analysis does not turn solely on financial or quantitative factors, and that qualitative factors must also be considered.
Thus, a company’s materiality determination depends on the facts and circumstances unique to each incident, including both its quantitative impact on the company’s business and on qualitative factors such as the incident’s nature, extent and potential magnitude, particularly as those factors relate to any compromised information or the business and scope of the company’s operations. The impact of an incident may encompass a range of harms that should be considered in making the materiality determination, such as the potential: (1) negative impact on financial performance and operations; (2) harm to reputation; (3) harm to customer, vendor or other business relationships; (4) negative impact on competitiveness; and (5) litigation or regulatory investigations or actions. The SEC staff has repeatedly stressed these five qualitative factors, which are drawn from the SEC adopting release announcing the new rules, when providing public commentary on Item 1.05 disclosure.
Disclosures to Date of Cybersecurity Incidents
As of December 5, 2024, 24 separate companies have made disclosure under Item 1.05 to announce the existence of a material cybersecurity incident. As an alternative to Item 1.05 disclosure, many other companies have described cybersecurity incidents under other items of Form 8-K, particularly under Item 7.01 for Regulation Fair Disclosure and Item 8.01 for “other events.” Still other companies have described cybersecurity incidents in Form 10-Q, Form 10-K or elsewhere in SEC filings, but not under cover of Form 8-K.
To date, only one company has disclosed that it sought a delay from filing Form 8-K under a mechanism in the SEC rules that permits a company to petition the US Attorney General for a temporary filing deferral. It is certainly possible that other companies have also used this procedure but have not yet made public disclosure of the underlying event.
SEC Guidance, Enforcement Actions and Comment Letters
As with any new rule, disclosure practices have evolved rapidly in the year since the rules took effect. SEC staff have issued several guidance documents to help fine-tune disclosure practices since the effective date of the rules. Staff guidance seems to encourage companies to save Item 1.05 for the most significant cybersecurity incidents, and use another 8-K item (such as Item 8.01) for those that do not meet the criteria of Item 1.05.
The SEC in October 2024 announced settled enforcement actions against four companies regarding cybersecurity disclosure and found that one of the companies “negligently made materially misleading misstatements” in Form 8-K regarding a cyberattack. In this case, the SEC alleged that statements to investors minimized the attack by failing to disclose the nature of the code that the threat actor exfiltrated and the quantity of encrypted credentials accessed. Notably, the company’s disclosure was made prior to the effectiveness of Item 1.05.
The SEC staff has also issued a series of comment letters to companies that have made disclosure under Item 1.05, particularly when a given company has indicated that the event has not had a material impact on the company’s financial condition or results of operations. These letters are routine communications from the staff to a given company requesting clarification or revision of potentially ambiguous disclosure and part of the agency’s overall oversight of public companies. The comments differ slightly from company to company, but generally take the following form:
“We note the statement that you experienced a cybersecurity incident in your Form 8-K filed on _____, 2024. Please advise us as to why you determined to file under Item 1.05 of Form 8-K given the statement that the incident had not had a material impact on your operations, and you had not determined it was reasonably likely to materially impact your financial condition or results of operations.”
Companies receiving this comment have varied in their responses to the SEC staff. Some companies, particularly those that filed in the early days of the rule before any staff guidance was published, have conceded that they may have misread the rule and would reconsider such a filing in the future. Others have sought to justify the filing, and have made the argument to the SEC staff that the determination as to whether a material cybersecurity incident has occurred is a separate analysis from whether it would have a material impact on operations or financial condition. After the SEC staff pushed back on the first company to assert this interpretation, several companies have subsequently made substantially the same argument without further staff objection.
Each cybersecurity incident must of course be assessed on the unique facts and circumstances of that event. Nevertheless, when making the materiality determination, it appears that the SEC staff has set the bar relatively high for making disclosure under Item 1.05, and the staff seems to prefer that immaterial cybersecurity incidents be discussed elsewhere.
Looking Ahead
With the upcoming change in presidential administrations, it is possible that the SEC may provide further guidance on Item 1.05 or the other SEC cybersecurity disclosure requirements enacted since 2021. On January 20, 2025, Republicans will take a 2-1 majority at the SEC, and a Republican commissioner will be named acting chairman of the agency until Paul Atkins, President-Elect Trump’s nominee for permanent SEC chairman, obtains Senate confirmation. The two sitting Republican commissioners have sometimes expressed skepticism as to the agency’s approach to cybersecurity reporting and enforcement; however, the SEC’s cybersecurity rules likely will be a lower priority than other pressing matters, such as a revised approach to cryptocurrency regulation and repeal of the SEC’s climate disclosure rules. Accordingly, it is likely the current cybersecurity reporting regime will remain in place for some time.
Scott Kimpel is a Partner at Hunton Andrews Kurth LLP. This post first appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).