​SEC official clarifies material incident reporting under new cyber rule

Erik Gerding cautioned companies against using the new 8-K filing item under the rule (Item 1.05) meant for reporting incidents deemed to be material for disclosing matters that might be material or where materiality was already ruled out.

Instead, he advised companies use another item (e.g., Item 8.01) to share such updates in order to avoid the potential for investor confusion.

“This clarification is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination or from disclosing incidents that companies determine to be immaterial,” said Gerding in his statement Tuesday. “… Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents.”

Gerding noted cybersecurity incidents disclosed elsewhere than Item 1.05 that are later determined to be material must subsequently be redisclosed under Item 1.05 within four business days of that determination, as mandated under the SEC’s new rule.

He concluded by listing factors companies should assess when determining materiality, including:

• Impact on financial conditions and operations;
• Harm to reputation, vendor relationships, or competitiveness; and
• The possibility of litigation or regulatory action related to the incident.

The SEC’s cybersecurity incident disclosure rule took effect in December and requires public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents deemed to be material within four business days. Incidents that have since occurred at companies, including apparel company VF, offer examples of how businesses have sought to meet the requirements of the rule.