TheCorporateCounsel.net

Yesterday, Corp Fin added one more Form 8-K CDI addressing a company’s efforts to delay Item 1.05 disclosure of a material cyber incident on national security or public safety grounds:

Question 104B.04

Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?

Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.

Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]

Corp Fin Director Erik Gerding also issued a lengthy statement on the rationale underlying the SEC’s adoption of the cybersecurity disclosure and governance rules, the mechanics of the rules, the national security and public safety delay provisions, and Corp Fin’s next steps concerning implementation of the rules and review of disclosures. In the course of that discussion, he commented on the motivation behind the latest CDI:

I hope this [CDI] underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.

Director Gerding closed his statement by offering reassurance that in the first year of the rule’s implementation, Corp Fin isn’t looking to “make ‘gotcha’ comments or penalize foot faults,” and that to the extent appropriate, it may issue “future filings” comments or additional CDIs.

– John Jenkins