Darned if You Do, Darned if You Don’t: Recent Lessons from the SEC On Cyber Reporting
The Security and Exchange Commission (SEC) Director of the Division of Corporate Finance, Erik Gerding, released a statement on May 21, 2024 that may have regulated entities scratching their heads about compliance and the agency’s views on cyber incident reporting.
The statement addresses what he characterizes as the persistent filing of “voluntary” cyber incident disclosures by companies that have not determined their respective incident had a material impact on overall “financial condition and results of operations” of the company in accordance with a new SEC rule on cybersecurity incident reporting.[1] We previously wrote about the new rule after it was adopted in July 2023. The rule requires disclosure of a material cybersecurity incident within 4 business days on a registrant’s Form 8-K at Item 1.05. Specifically, registrants are required to disclose any cybersecurity incident that is considered material and to describe the: (1) material aspects of its nature, scope, and timing of the incident; and (2) material impact or reasonably likely material impact of the incident which may vary from incident to incident, including but not limited to financial condition and results of operations.[2] This rule was controversial at the time of adoption and has created some uncertainty among regulated entities about what the agency considers “material” and how best to comply. There are efforts underway in Congress to undo the rule using the Congressional Review Act but in the meantime, companies have to navigate the changing cyber regulatory landscape.
Our review of public filings demonstrates some caution on the part of filers, with some companies making filings under Item 1.05 where it is not clear that the incident is material. Instead, filers appear motivated to file in an abundance of caution without having made a materiality determination. While it was under consideration, commenters on the rule told the SEC that it may cause over-reporting by companies fearful of being second-guessed about their materiality determinations.
Reflecting on several months of reporting, Mr. Gerding is telling the regulated community that their cautious approach is problematic. He emphasizes that under the rule, a cyber incident disclosure under Item 1.05 is not “voluntary” and the requirement “is not triggered until the company determines the materiality of an incident.”[3] The statement reflects the staff’s concern that voluntary disclosures of incidents under Item 1.05 that do not reach the materiality threshold or where the company has not made a materiality determination will be confusing for investors.
Mr. Gerding encourages the disclosure of cyber incidents that a company has not determined to be material or has determined is not material. However, he encourages companies to do it in a manner that does not undermine the purposes of Line 1.05 or the underlying rule. In other words, he urges companies to disclose such incidents under Line 8.01, Other Events, to “allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.”[4] The statement also warns that disclosing immaterial cyber incidents under Line 1.05 could lead investors to think an incident is material and make an investment decision based on this misperception.
The statement makes several observations and recommendations, some of which appear to validate industry concerns about confusing standards, the potential need for updates, and compliance risk.
Gerding writes that if a company files a Form 8-K cyber incident disclosure under Line 8.01 for an incident it subsequently determines is material, the company should file another Form 8-K disclosing the material cyber incident under Line 1.05. This previews seriatim reporting and supplementation that is likely to add to companies’ compliance burdens.
He further reminds companies that the SEC has adjusted the materiality standard. He notes that the Commission’s Adopting Release provided that the assessment of the impact of the incident should not be limited to “’financial conditions and results of operations’” but should also take into account “’qualitative factors alongside quantitative factors.’”[5] Examples of qualitative factors include “’harm … [to] reputation, customer vendor relationships, or competitiveness.’”[6] He reminds regulated parties to also consider litigation and regulatory investigations by state, Federal, and non-U.S. authorities.[7] This approach to materiality was subject to comment in the rulemaking and was criticized for being difficult to apply.
The statement also provides clarification that a company may determine that a cybersecurity incident is so significant that it is material and disclose it on Form 8-K Line 1.05 without having yet determined the impact but he notes that they should include a statement that the impact remains to be determined. The 8-K “should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident.”[8] So, once a company makes the impact determination, within four days it should file an amendment to the Form 8-K.
The key takeaway from Mr. Gerding’s statement is that the Division of Corporate Finance is concerned about the possible confusion of investors caused by the nearly 20 companies filing cyber incident disclosures on SEC Form 8-K Line 1.05 since the rule came into effect, with none of the companies determining that the incident had a “material impact or reasonably likely material impact … on the registrant, including its financial condition and results of operations.”[9] The Division’s clarification emphasizes that the required filing under the rule is not voluntary, as companies have seemed to been filing under Line 1.05 out of an abundance of caution. Consequently, this statement may be an indication that the Division will take an increasingly aggressive approach to enforcing the rule while at the same time admonishing regulated entities that materiality determinations are complex and evolving, that they may be using the wrong line, and that incidents may well require multiple filings. Such a message is notable given the agency’s near-simultaneous enforcement action for a failure to inform the SEC of a cyber event in what the agency deemed a timely fashion. This action drew a notable dissent from the two Republican SEC Commissioners, who wrote that “imposing a $10 million civil penalty …[for a] failure to notify the Commission of a single, de minimis incident is an overreaction” and that it amounted to “regulatory fly-specking around a firm’s response to an attack.”[10] Regulated entities may rightly be confused by mixed messages from the SEC on incident reporting--which seem on the one hand to demand prompt reporting but also to admonish companies trying to do the right thing by putting investors on notice of an incident for which it may be difficult to assess materiality. Suffice it to say, cyber incident reporting is becoming more and more complex and fraught with risk. As the Cybersecurity and Infrastructure Security Agency continues with its new incident reporting rules, this complexity will only grow.
[1]Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC, 88 Fed. Reg. 51896, 51903–04 (Aug. 4, 2023) (“Final Rule”).
[2] Id. (“The final rules will require the registrant to ‘describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’”).
[3] Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents, SEC, Statement of Erik Gerding (May 21, 2024), https://www.sec.gov/news/statement/gerding-cybersecurity-incidents-05212024.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Final Rule at 51904.
[10] Forget about Collaborating—Stop, Pay-Up, and Listen: Statement on Intercontinental Exchange et al., SEC, Statement of Hester Pierce and Mark Uyeda (May 21, 2024), https://www.sec.gov/news/statement/peirce-uyeda-statement-intcntl-exchange-052224.