February 9, 2024

Cybersecurity Incidents: Consider Early Reporting under Item 7.01 or 8.01

Sometimes there’s no specific 8-K item triggered and no item where disclosure neatly fits, but a company wants to get certain information out there and turns to Item 7.01 or 8.01. This general scenario is not new, but this Cleary alert suggests 7.01 or 8.01 might be more frequently utilized when companies discover cybersecurity incidents but have yet to make a materiality determination. As Dave recently blogged, “the Titanic effect is real in many cybersecurity breaches, in that one can easily misperceive that the giant iceberg lurking under the surface is just some harmless floating ice,” and the SEC will be looking at disclosures with the benefit of hindsight. Here’s an excerpt from Cleary’s alert:

Given the number of moving pieces and factors to consider, it is likely that it may take some time to reach a definitive conclusion around materiality for any given cybersecurity incident.  If a registrant waits until it has come to a final conclusion around materiality, a significant amount of time may have passed since the initial discovery of the incident.

The SEC has been extremely focused on the timeliness of disclosure of cybersecurity incidents, and while an incident may appear to be immaterial for some period of time and non-disclosure at that time would be technically compliant with the disclosure rules, if the incident is later determined to be material, there is likely to be a tremendous amount of scrutiny around the timing of that determination. As a result, registrants will want to think carefully about the potential benefits of putting out disclosure on Form 8-K under Item 7.01 (Regulation FD Disclosure) or Item 8.01 (Other Events) (and/or in a press release or other Regulation FD-compliant channel) promptly after discovering a cybersecurity incident, while the materiality of the incident is still under consideration (including if they do not believe the incident will likely be deemed material).

The alert describes a number of potential benefits of using this approach initially:

[T]here is no preemptive concession by the registrant of the event’s materiality in a potential future litigation or otherwise.  In some circumstances, disclosure more quickly than the usual four day Form 8-K deadline will be appropriate.

We have seen an increasing number of registrants adopt this practice, even ahead of the Item 1.05 requirement becoming effective, and believe it can be an effective communication tool, while also mitigating regulatory and other risk.  By disclosing early, a registrant will give itself some breathing room to come to a materiality determination in an expeditious but methodical way that considers all necessary factors.  In addition, providing prompt disclosure may provide some protection from stock-drop lawsuits following a potential later announcement that the incident has been determined to be material.

Additionally, registrants may need to alert and provide ongoing updates to certain external stakeholders.  For example, registrants may need to coordinate logistics with vendors if their systems are inaccessible, or may be unable to meet their immediate obligations to customers due to production or operational issues.  These types of issues will necessitate real-time engagement with impacted constituencies.  Putting out public disclosure will facilitate this dialogue and alleviate any concerns around claims of selective disclosure in violation of Regulation FD.

It concludes this point by saying that this practice is expected to continue but “[w]hether Item 7.01 or Item 8.01 is appropriate (the latter of which carries with it an implicit element of materiality and is filed, not furnished) will be a facts and circumstances determination.”

Meredith Ervine