September 18, 2024
Cyber Incidents: More Comments on Item 1.05 Disclosures
As Dave shared over the summer, Corp Fin Staff is reviewing and commenting on Item 1.05 disclosures in real-time. We’d already seen some letters pop up. But hat tip to Orrick’s Bobby Bee for pointing out this exchange regarding AT&T’s July 8-K, which is far more interesting than the first Item 1.05 comment letter. Here are some things to note:
First, the 8-K confirms some rumors about the delay provisions being used. It discloses that the DOJ determined a delay in public disclosure was warranted on May 9 and again on June 5. The SEC’s comment letter says nothing about this delay or the related disclosure.
Second, the 8-K says the incident “has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.” As we know, the SEC has indicated that disclosures about immaterial incidents should be made under another item, such as 8.01, to avoid investor confusion. So, not surprisingly, the Corp Fin Staff’s only comment is to clarify whether the incident is material.
The response letter takes the following position: “[T]he question of whether an incident is ‘material’ for purposes of 1.05(a) of Form 8-K is distinct from the question of whether an incident is likely to have a ‘material impact’ on the registrant. … They are not the same concept: ‘material’ is broader than ‘material impact,’ and the definition’s focus is on investors and their viewpoints.”
The Staff stopped commenting after the response, but the “review complete” letter is longer than usual, saying “our decision not to issue additional comments should not be interpreted to mean that the Commission staff or the Commission either agree or disagree with, or are opining on the legality of, your disclosure or responses, conclusions, or positions you have taken.” The Staff points to the company’s conclusion that information about the incident would significantly alter the total mix of information made available due to “reputational and customer perception risks”:
Item 1.05’s inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors. … It appears inconsistent to conclude that an incident is material because of ‘reputational and customer perception risks associated with the incident’ but that the incident has not had, and is not reasonably likely to have, any material impacts on the company, including with respect to the company’s reputation and customer perception.
For anyone who joined Friday’s “Dialogue with the Director” at the ABA Business Law Section Fall Meeting, this sheds some light on a seemingly cryptic comment by Corp Fin Director Erik Gerding that “there seems to be a view” in the market that an incident could be material but there could be no material impacts, and reiterating that you have to consider qualitative impacts. Now I get it!
– Meredith Ervine