Aigbe Law Blogs

SEC statement clarifies material cybersecurity incident disclosure requirement

Author: Destiny Aigbe

July 29, 2024

In July 2023, the U.S. Securities and Exchange Commission (SEC) finalized a pivotal rule mandating public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. This rule has significant implications for how companies manage and communicate about cybersecurity incidents. The SEC's guidance on what constitutes a "material" cybersecurity incident and the appropriate disclosure practices are still evolving, with companies often erring on the side of caution by over-disclosing. This blog post outlines the SEC's requirements, offers insights from recent SEC statements, and provides best practices for compliance.

UNDERSTANDING MATERIALITY IN CYBERSECURITY INCIDENTS

The concept of materiality, while well-established in other areas of SEC regulation, is particularly challenging in the context of cybersecurity. A cybersecurity incident is deemed material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision. This determination involves assessing a wide range of qualitative and quantitative factors, including:

  • Financial impacts
  • Reputational damage
  • Effects on customer and vendor relationships
  • Operational disruptions
  • Potential litigation and regulatory consequences

The challenge lies in the subjective nature of these assessments, with companies having to navigate a complex landscape without much precedent to guide their decisions.

SEC GUIDANCE ON DISCLOSURE PRACTICES

At the International Association of Privacy Professionals’ April 2024 Global Privacy Summit, SEC officials highlighted concerns about the overuse of "cover yourself 8-Ks" — disclosures filed without a clear materiality determination. To address this, the SEC's Division of Corporation Finance issued a statement on May 21, 2024, providing clearer guidelines on how to handle disclosures related to cybersecurity incidents.

Key Points from the SEC Statement:

  1. Use of Item 8.01 of Form 8-K for Immaterial Incidents:
    • Companies may disclose immaterial incidents under Item 8.01, which is used for reporting events not explicitly required by other sections of Form 8-K but deemed important to security holders.
  2. Pending Materiality Determinations:
    • If a company has not yet determined the materiality of a cybersecurity incident, it can disclose the incident under Item 8.01. Should the incident later be deemed material, the company must file an Item 1.05 Form 8-K within four business days of the determination, referencing the initial Item 8.01 disclosure if applicable.
  3. "So Significant" Incidents:
    • The statement introduces the concept of incidents that are "so significant" they warrant disclosure even before the full impact is known. While not explicitly defined, this term suggests incidents that, due to their nature or potential consequences, are likely to be material. Companies should disclose these incidents' nature, scope, and timing and update their disclosures as more information becomes available.

BEST PRACTICES FOR COMPLIANCE

To navigate these requirements effectively, companies should:

  1. Establish Clear Protocols:
    • Develop and document protocols for assessing the materiality of cybersecurity incidents. This includes defining the roles and responsibilities of key personnel and establishing criteria for determining materiality.
  2. Document Assessments:
    • Keep detailed records of the decision-making process regarding the materiality of cybersecurity incidents. This documentation can be crucial if the SEC or other regulators question the company's disclosures.
  3. Avoid Defensive Disclosures:
    • While it might be tempting to file disclosures preemptively, "cover yourself 8-Ks" can lead to investor confusion and potentially unwanted regulatory scrutiny. Ensure that disclosures are substantive and provide clear, useful information to investors.
  4. Regular Reviews and Updates:
    • Regularly review and update cybersecurity incident response and disclosure policies to ensure they align with evolving SEC guidance and industry best practices.

CONCLUSION

The SEC's recent rule on cybersecurity disclosures underlines the increasing importance of cybersecurity risk management in corporate governance. As companies adapt to these new requirements, they must carefully balance transparency with prudence, ensuring that disclosures are both informative and accurate. By establishing robust internal protocols and staying informed about regulatory developments, companies can better navigate the complexities of cybersecurity disclosures and maintain investor confidence.

About the Author

Destiny Aigbe

Managing Partner

Aigbe Law PLLC | Dark Alpha Capital

A Corporate and Securities Law Firm

With a robust foundation in law and finance, Destiny Aigbe has carved a distinguished career, underpinned by his pivotal role in orchestrating and managing complex transactions that have propelled companies to significant growth and market prominence. As a seasoned attorney and strategic advisor, Destiny has been instrumental in facilitating over $75 million in capital raises, demonstrating a keen acumen for securing funding and fostering investor confidence.

Destiny's leadership in the execution of six successful public listings, through meticulously structured reverse mergers and registration statements, showcases his adeptness in navigating the intricacies of the public markets and his capacity to guide companies through transformative growth phases. His involvement in five mergers as an operator further illustrates his versatile skill set, extending beyond legal expertise to include hands-on management and operational strategy, though these ventures did not involve funding.

Destiny's professional journey is marked by a commitment to excellence and a diverse range of experiences, from representing a wide spectrum of clients including public and private companies, and investment firms, to holding significant roles within the US government. His tenure with the US Department of State and the National Institutes of Health highlights his adaptability and his contribution to the advancement of entrepreneurial ventures in sectors like biotechnology and nanotechnology through strategic funding initiatives.

An alumnus of Vanderbilt University Law School, Destiny focused on Finance and Mergers & Acquisitions, further honing his expertise with a certificate in Law and Business. His foundational education in Finance was obtained with honors from the University of Maryland's Robert H. Smith School of Business, which laid the groundwork for his subsequent achievements in investment banking and legal practice.

Residing in the Washington, D.C. area, Destiny Aigbe continues to leverage his extensive experience and insightful leadership to drive innovation, growth, and success for his clients and the ventures he is involved with.

© Aigbe Law, PLLC

Categories

Securities LawGoing PublicBanking and FinancePublic FinanceForeign Direct InvestmentUplistingIntellectual PropertyCorporate TaxInterviewsLitigationInitial Public Offerings (IPOs)Industry InsightsUS Export ControlsBitcoinArtificial IntelligenceCybersecurityPatentReal EstateCorporate SecuritiesAdministrative LawWhite Collar DefenseMergers and Acquistions