TheCorporateCounsel.net

April 3, 2024

Corp Fin Workshop Addresses Cyber Disclosures

Yesterday, during a well-staffed Corp Fin Workshop — the last panel of the day at “The SEC Speaks in 2024” — each participating Staff member discussed a key disclosure topic highlighting 2023 trends and comments and 2024 considerations. This is always a very useful conversation! (Keep in mind that all Staff comments are subject to the standard disclaimer that the views are the person’s own in their official capacity and not necessarily reflective of the views of the Commission, the Commissioners, or members of the Staff, and our summaries are based on our real-time notes.) Two buzz-worthy topics addressed in this year’s panel were disclosures under the final cyber rules and discussions of AI in SEC filings.

With respect to cyber incident disclosures, the Staff stressed that the disclosure of the incident’s impact should be qualitative in addition to quantitative — including when the related harm can’t be quantified. For example, to the extent material, disclosures should discuss the impact of any data theft and of the incident generally on the company’s reputation, competitiveness and customer or vendor relationships, even if those can’t be linked to bottom line numbers on a quarterly or annual basis.

The Staff also discussed the concept of “without unreasonable delay.” If you have regular protocols and procedures in place, including ones that layer in the materiality assessment for the incident, any change to those procedures that delays or is done to delay or postpone the materiality determination might constitute “unreasonable delay.” The Staff also noted that companies might not need to wait for the investigation or fact gathering to be complete to make a materiality determination, and instruction 2 contemplates that possibility by allowing unavailable information to be provided later by amendment.

One of the key themes from yesterday — from the Corp Fin Staff at least — was their focus on transparency through a multi-pronged approach to engaging with companies using one-to-one and one-to-many communications, including speaking engagements and participation in conferences. The Staff’s thoughtful, specific and timely commentary supported this IMHO, and the panels were publicly available to all.

Meredith Ervine