Among the many instructive takeaways from the Society Securities Law Committee’s annual meeting on May 20 with the staff of the SEC Division of Corporation Finance (which we previously noted here):
In response to the Society’s observation that most companies are using Item 1.05 Form 8-K reports to disclose cybersecurity incidents that have not been determined to be material or that have been determined to be immaterial, the staff reaffirmed that Item 1.05 is intended for disclosure of material incidents and that Item 8.01 is more appropriate for voluntary disclosure of incidents that have not been determined to be material or that have been determined to be immaterial. We previously reported on four companies since the effective date of the new rule that have disclosed cyber incidents under Items 7.01 or 8.01. In addition to technical compliance with Form 8-K, the staff emphasized that honoring this distinction better serves investors by appropriately flagging material events.
The staff also advised that companies that elect to file an Item 8.01 (or 7.01) Form 8-K initially to disclose an incident that has not been determined to be material and that subsequently make a materiality determination should then file an Item 1.05 Form 8-K that references the previous Item 8.01 (or 7.01) filing.
Director Erik Gerding’s May 21 statement fairly reflects his remarks at the meeting on this topic and also reiterates factors referenced in the adopting release that may weigh into a materiality determination.
Stay tuned for more key takeaways from the meeting!