May 24, 2024

Cyber Incidents: More on Reporting Early or Immaterial Incidents

Earlier this week, I shared a statement from Corp Fin Director Erik Gerding encouraging companies that choose to voluntarily disclose an immaterial cybersecurity incident or choose to disclose early while a materiality determination is still being made to do so under a different item of Form 8-K — like 8.01 for Other Events — not Item 1.05. This Gibson Dunn blog on the statement gives some statistics on Item 1.05 8-Ks filed so far that provide some context for why Director Gerding issued this statement.

[A]s of May 22, 2024, 17 companies have disclosed cybersecurity incidents under Item 1.05 over the course of 26 filings (inclusive of 8-K amendments) whereas 7 companies reported cybersecurity incidents under Item 7.01 or 8.01.  Of those 17 companies reporting events under Item 1.05, with some companies disclosing material operational impact while the incident was ongoing or material impact on financial quarterly results, most of these companies disclosed no material impact on their operations and also generally disclosed (either as part of original filing or by amendment) that the cyber incidents have not had, or were not expected to have, a material impact on such companies’ overall financial condition or results of operations (or that companies have not yet made a materiality determination).

I think companies are very accustomed to filing under Item 8.01 for other disclosures that may be related to but don’t trigger another 8-K item, and I chalk this up to growing pains as they adapt to the new requirements. The blog also describes why these voluntary filings are so common.

Companies have often encountered challenges in reaching a materiality determination with respect to cybersecurity incidents due to the often tedious process of evaluating the nature and scope of an incident, the extent of unknown information, and the difficulty of assessing future consequences, particularly in the context of an evolving situation. Since the new rules went into effect, companies now must conduct an on-going reassessment of whether the incident has crossed the tipping point to become, in some aspect, material to investors, based on the known state of information and assessment of potential impacts.  As such, companies facing potential scrutiny for not making timely disclosure have opted to voluntarily disclose cybersecurity incidents before reaching a definitive materiality determination.

Since Director Gerding’s statement was very explicit that it was not discouraging voluntary filings, I assume we’ll continue to see them, but hopefully under another item.

Meredith Ervine