Aigbe Law Blogs

SEC’s Cybersecurity Disclosure Rules: Key Insights and Implications

Author: Destiny Aigbe

December 4, 2024

The SEC’s cybersecurity disclosure rules aim to enhance transparency but have left many companies grappling with uncertainties, particularly around determining materiality. Recent guidance from Erik Gerding, Director of the SEC Division of Corporation Finance, underscores the challenges issuers face in distinguishing between material and non-material cybersecurity incidents.

CHALLENGES IN DETERMINING MATERIALITY

1. Ambiguities in Materiality Standards

Gerding’s recent statement encouraged companies to voluntarily disclose non-material incidents but advised against using Item 1.05 of Form 8-K, titled “Material Cybersecurity Incidents.” He emphasized that such voluntary disclosures should avoid diluting the significance of material cybersecurity incidents. However, his suggestion to evaluate materiality using "all relevant factors" leaves much to interpretation, adding to the existing ambiguity.

2. Signal-to-Noise Ratio in Disclosures

A review of recent filings revealed that only a handful of disclosures under Item 1.05 involved material cybersecurity incidents. This low signal-to-noise ratio reflects the difficulty companies face in applying the materiality standard effectively. Non-material disclosures, while helpful, risk overshadowing significant incidents if not properly categorized.

RECENT ENFORCEMENT ACTION: A WAKE-UP CALL

In May, the SEC fined The Intercontinental Exchange Inc. (ICE) $10 million for failing to timely disclose a cybersecurity breach involving its subsidiaries, including the New York Stock Exchange. Although the incident occurred before the current rules, the enforcement highlights the SEC’s commitment to ensuring timely and accurate cybersecurity disclosures.

Key Takeaways from the ICE Case

  • Timeliness Matters: Even a delay of a few days can lead to significant penalties.
  • Accountability Across Subsidiaries: Parent companies must ensure their subsidiaries meet disclosure obligations.
  • Precedent for Future Enforcement: The SEC is likely to act decisively against companies failing to comply with its cybersecurity disclosure rules.

GUIDANCE FOR COMPANIES

To navigate these challenges, companies should:

  1. Develop a Robust Incident Evaluation Framework: Assess materiality based on a comprehensive set of factors, including financial, operational, and reputational impacts.
  2. Enhance Internal Reporting Mechanisms: Ensure incidents are communicated promptly across subsidiaries and to the SEC.
  3. Clearly Differentiate Material and Non-Material Disclosures: Avoid using Item 1.05 for non-material incidents to maintain clarity and investor confidence.

LOOKING AHEAD

The SEC’s enforcement actions and evolving guidance signal that companies must take cybersecurity disclosure seriously. By proactively aligning their practices with SEC expectations, businesses can mitigate risks and demonstrate a commitment to transparency and compliance.

For tailored advice on navigating cybersecurity disclosure requirements, contact The Law Offices Of Destiny Aigbe PLLC today.

About the Author

Destiny Aigbe

Managing Partner

Aigbe Law PLLC | Dark Alpha Capital

A Corporate and Securities Law Firm

With a robust foundation in law and finance, Destiny Aigbe has carved a distinguished career, underpinned by his pivotal role in orchestrating and managing complex transactions that have propelled companies to significant growth and market prominence. As a seasoned attorney and strategic advisor, Destiny has been instrumental in facilitating over $75 million in capital raises, demonstrating a keen acumen for securing funding and fostering investor confidence.

Destiny's leadership in the execution of six successful public listings, through meticulously structured reverse mergers and registration statements, showcases his adeptness in navigating the intricacies of the public markets and his capacity to guide companies through transformative growth phases. His involvement in five mergers as an operator further illustrates his versatile skill set, extending beyond legal expertise to include hands-on management and operational strategy, though these ventures did not involve funding.

Destiny's professional journey is marked by a commitment to excellence and a diverse range of experiences, from representing a wide spectrum of clients including public and private companies, and investment firms, to holding significant roles within the US government. His tenure with the US Department of State and the National Institutes of Health highlights his adaptability and his contribution to the advancement of entrepreneurial ventures in sectors like biotechnology and nanotechnology through strategic funding initiatives.

An alumnus of Vanderbilt University Law School, Destiny focused on Finance and Mergers & Acquisitions, further honing his expertise with a certificate in Law and Business. His foundational education in Finance was obtained with honors from the University of Maryland's Robert H. Smith School of Business, which laid the groundwork for his subsequent achievements in investment banking and legal practice.

Residing in the Washington, D.C. area, Destiny Aigbe continues to leverage his extensive experience and insightful leadership to drive innovation, growth, and success for his clients and the ventures he is involved with.

© Aigbe Law, PLLC

Categories

Securities LawGoing PublicBanking and FinancePublic FinanceForeign Direct InvestmentUplistingIntellectual PropertyCorporate TaxInterviewsLitigationInitial Public Offerings (IPOs)Industry InsightsUS Export ControlsBitcoinArtificial IntelligenceCybersecurityPatentReal EstateCorporate SecuritiesAdministrative LawWhite Collar DefenseMergers and Acquistions