BDO Bulletin: SEC Staff Statement on Cybersecurity Incidents Disclosure

Summary

The SEC staff clarified that registrants who voluntarily disclose cybersecurity incidents in Form 8-K should not do so under Item 1.05, Cybersecurity Incidents, of Form 8-K (“Item 1.05”) because it may be confusing to investors. Registrants may voluntarily disclose cybersecurity incidents under Item 8.01, Other Events, of Form 8-K (“Item 8.01”). The SEC staff believes the distinction between disclosing a material cybersecurity incident under Item 1.05 and a voluntary disclosure under Item 8.01 allows investors to make better investing and voting decisions related to material cybersecurity incidents.


Cybersecurity Incidents Disclosure

The following details the SEC staff’s statement on disclosing material and other cybersecurity incidents: 


Cybersecurity Incident Determination

Is Disclosure Required in Form 8-K?

Material

Yes. Item 1.05 requires registrants to disclose cybersecurity incidents within four business days from the date they determine the incident(s) to be material. This determination must be made without unreasonable delay.

Materiality Assessment Incomplete

No. Registrants that voluntarily disclose the cybersecurity incident in Form 8-K should do so under Item 8.01, not Item 1.05. Registrants that later determine the incident is material must disclose the incident under Item 1.05 within four business days of the date they determine the incident is material. Registrants may refer to the Item 8.01 disclosures, but additional disclosure may be necessary to comply with the requirements under Item 1.05.

Immaterial

No. Registrants that voluntarily disclose the cybersecurity incident in Form 8-K should do so under Item 8.01, not Item 1.05. 


The SEC staff stated that the intent of this clarification is not to deter registrants from voluntarily reporting cybersecurity incidents, but rather to encourage such disclosures under Item 8.01 instead of Item 1.05. The distinction between disclosing material cybersecurity incidents under Item 1.05 and other cybersecurity incidents under Item 8.01 is to help investors more readily distinguish between material and other cybersecurity incidents. The SEC staff also reminded registrants that determining the materiality of a cybersecurity incident involves an assessment of both quantitative and qualitative factors.




SEC Staff Statement: Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents

BDO Bulletin: The SEC’s New Cybersecurity Disclosure Rules are Here

BDO Bulletin: SEC Staff Releases New Interpretive Guidance on Cybersecurity Incident Disclosure