TheCorporateCounsel.net

Yesterday, Corp Fin Director Erik Gerding issued a statement addressing concerns expressed by some registrants that the SEC’s rules requiring disclosure of material cybersecurity incidents in an Item 1.05 Form 8-K preclude registrants from sharing information beyond that disclosed in the 8-K with others, including contractual counterparties. Director Gerding’s statement clarifies that this is not the case, and that Regulation FD offers various alternatives for sharing this information without raising selective disclosure concerns:

There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.

Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply. For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant)or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.

The statement notes that while companies may be reluctant to share additional information about cybersecurity incidents with third parties, companies that follow the scope and requirements of the selective disclosure rules in Reg FD should not face undue impediments to mutually beneficial sharing of information regarding material cybersecurity incidents with third parties.

– John Jenkins