TheCorporateCounsel.net

If you have been in this game for a while, you know that there are some “truisms” when it comes to the Disclosure Review Program administered by the SEC’s Division of Corporation Finance. One of those truisms is that, in general, the Corp Fin Staff does not typically monitor or review Form 8-K filings in real time, with the exception of Section 4 Form 8-Ks, which are monitored and reviewed in real time by the accounting Staff. Instead, the Staff will typically review Form 8-K filings during the course of reviewing a company’s periodic reports, with that review usually conducted on a periodic basis after the company files its Form 10-K. Based on recent experience, it appears that the Staff has modified its procedures so that we are now seeing comments on Item 1.05 Form 8-Ks in real time.

It is perhaps no surprise that the Staff is reviewing and commenting on Item 1.05 Form 8-K filings, given all of the recent focus on current disclosure of material cybersecurity incidents. As Meredith noted back in May and as John noted last week, Corp Fin Director Erik Gerding has issued statements concerning the filing obligation under Item 1.05 and selective disclosure considerations regarding material cybersecurity incidents. As I noted yesterday, the Staff has updated its Exchange Act Form 8-K Compliance and Disclosure Interpretations to address when companies are required to disclose information on a current basis under Item 1.05 and how the materiality determination is made when assessing that disclosure obligation.

The Staff’s comments on Item 1.05 Form 8-Ks appear to be focused on why a company filed under Item 1.05 of Form 8-K, and in particular whether the company considered the reported cybersecurity incident to be material. The Staff’s comments have focused on situations where companies indicate in their Item 1.05 Form 8-K disclosure that the company does not believe that the incident has had a material impact on the company’s operations or financial condition, and/or the incident is not anticipated to have a material impact on the company’s financial condition and results of operations going forward. Given these sorts of statements, it appears that the Staff is trying to understand the rationale for filing the Form 8-K under Item 1.05, which requires current disclosure of “a cybersecurity incident that is determined by the registrant to be material.”

The Staff’s recent comments on these filings highlights the need for companies to conduct a carefully considered analysis of the materiality of a cybersecurity incident before deciding to report that incident in an Item 1.05 Form 8-K, and to have a thoroughly documented rationale for the materiality determination at the ready in the event that the Staff raises a comment on the Form 8-K filing.

– Dave Lynn