When Is the Cybersecurity Form 8-K Required? SEC Provides Updated Guidance

The final cybersecurity incident disclosure rules adopted by Securities and Exchange Commission (“SEC”) became effective in late 2023, and since then, the SEC has been closely monitoring the disclosure newly required under Item 1.05 of Form 8-K. Under that item, a public company is required to report any cybersecurity incident it determines is “material.” Given the fact-intensive nature of this new disclosure item, the SEC has been active in providing updated guidance to public companies, through multiple statements by the Director of the Division of Corporation Finance (“Corp Fin”), new compliance and disclosure interpretations (“CDI”) about Item 1.05 under question 104B, and by issuing comment letters to companies that have already filed under Item 1.05. As companies encounter this new disclosure, they may have questions that the SEC has recently provided guidance about, such as those outlined below.

Should I file a Form 8-K if the cybersecurity incident is not material?

Maybe, but not under Item 1.05. Corp Fin has emphasized that the disclosure under Item 1.05 is not voluntary disclosure, and it is not triggered unless and until the company determines that the cybersecurity incident is material. Companies have received comment letters essentially questioning why Item 1.05 was used if a cybersecurity incident was determined to be immaterial. Corp Fin encourages companies to disclose an incident that is not material under Item 8.01 to help investors to distinguish between material (Item 1.05) and immaterial (Item 8.01) cybersecurity incidents. This voluntary disclosure can be helpful if you believe it is important to disseminate the information about an immaterial cybersecurity incident.

Can I contact other parties and share information about a cybersecurity incident without violating Regulation FD?

Yes, using your existing guidelines for sharing information. Keep in mind that Regulation FD only applies to material nonpublic information that is shared with people covered by Regulation FD (investors, analysts, securities market professionals and similar persons). Sharing information with persons who owe a duty of trust or confidentiality to the company will not implicate Reg FD or constitute selective disclosure. In a statement, the Director of Corp Fin reminded companies that Reg FD does not prohibit companies from sharing information about a cybersecurity incident that extends beyond what is disclosed in a Form 8-K. The SEC does not want its rules to prevent communications with parties that may assist with remediation, mitigation or risk avoidance.

If a cybersecurity incident ends before I complete the materiality analysis under Item 1.05, must I still complete the materiality analysis?

Yes. You must still analyze whether the cybersecurity incident was material even if it has ended or appears to have ended. See CDI Question 104B.05.

If a material cybersecurity incident ends before I file the Item 1.05 Form 8-K, must I still file the Form 8-K?

Yes. The Item 1.05 Form 8-K is triggered by the determination that the cybersecurity incident was material, and that trigger is not resolved by the end or apparent end of the cybersecurity incident. See CDI Question 104B.06.

If insurance proceeds will cover the costs incurred due to a cybersecurity incident, can I skip the materiality analysis?

No. You must still perform the materiality analysis and consider the quantitative and qualitative impacts of the cybersecurity incident. The fact that insurance proceeds blunted the financial impact of the cybersecurity incident may be considered in this analysis, but should be weighed against the possibility of being able to obtain cybersecurity insurance in the future (and at what cost). See CDI Question 104B.07.

If a cybersecurity incident leads to making a small ransomware payment, must I still complete the materiality analysis?

Yes. Even if the initial financial impact is relatively small, a cybersecurity incident may still be material. See CDI Question 104B.08.

Should I aggregate multiple immaterial cybersecurity incidents when analyzing whether the incident(s) are material?

Maybe, depending on the relationship between the incidents. If the incidents are related, it is more likely that the incidents should be considered both alone and as a group. Keep in mind that the SEC’s definition of “cybersecurity incident” includes “a series of related unauthorized occurrences.”  See CDI Question 104B.09.

For additional information on the cybersecurity disclosure rules, please see the fact sheetcomplete rules and our legal current entitled “Public Companies Beware: SEC Introduces Yet Another Data Breach Notification Deadline and Other Cybersecurity Requirements.” If you have any questions related to the new rules and the SEC’s recent guidance, reach out to the HSE Privacy & Data Security or Securities & Capital Markets teams.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2024 Harter Secrest & Emery LLP