Cybersecurity Event Disclosures – New C&DIs and an Announcement Addressing Selective Disclosure Concerns

On June 24, 2024, CorpFin issued five new C&DIs addressing cybersecurity incident reporting on Form 8-K Item 1.05.  The C&DIs focus on situations where a company has experienced an attack such as a ransomware attack.  For example, C&DI 104B.05 states that if a company experiences an attack and makes a ransomware payment before a materiality determination is made, it must still make a materiality determination, and if the incident is material report it on Form 8-K Item 1.05.  New C&DI 104B.07 states that if insurance provides a recovery of all or a substantial portion of the payment, a materiality assessment based on both quantitative and qualitative considerations must still be made. And C&DI 104B.08 makes the point that the size of a ransomware payment is not the only factor in making a materiality determination.  Qualitative aspects such as potential reputational harm could make a cybersecurity incident material even in breaches where the financial impact is relatively small.

In another cybersecurity event disclosure development, on June 20, 2024, Erik Gerding, CorpFin Division Director, issued an Announcement titled “Selective Disclosure of Information Regarding Cybersecurity Incidents.”  In the Announcement Mr. Gerding states:

“Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  That is not the case.”

Mr. Gerding notes that:

“Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.”

The Announcement then summarizes various concerns companies may have surrounding how Regulation FD may apply to disclosures to third parties such as vendors, customers or other companies that could be impacted by a similar incident.  After a brief review of applicable Regulation FD considerations, he then explores ways to avoid selective disclosure concerns, including a reminder that Regulation FD applies only to certain parties outside a company and that the use of confidentiality agreements can mitigate selective disclosure concerns.

As always, your thoughts and comments are welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *