TheCorporateCounsel.net

Yesterday’s statement from Corp Fin Director Erik Gerding (subject to the standard disclaimer) also addresses materiality determinations for cyber incidents, stressing that companies should assess “all relevant factors” and not limit that assessment to the incident’s impact on the company’s financial condition and results of operation.

“[C]ompanies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”

Echoing a key comment from SEC Speaks, the statement also adds the following (which is contemplated by Instruction 2 to Item 1.05):

There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact).  In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.

The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.

– Meredith Ervine