On May 21, 2024, the SEC’s Division of Corporation Finance issued a statement providing more information on how public companies disclose material cybersecurity incidents on Form 8-K. The rule, which went into effect in December 2023, mandates companies to report incidents considered “material” under Item 1.05 promptly.
Here are the key points of this groundbreaking legislation:
- Companies are urged, but not required, to disclose non-material cybersecurity events.
- The form on which material events are reported must be updated when new information comes to light.
- In considering whether an event is material (and reportable) or non-material, the companies should consider the event’s financial impact, operational disruption, the sensitivity of the data involved, whether regulations or industry standards were violated and the potential damage to a company’s reputation.
Who does it apply to: Public companies
When does it become effective: December 1, 2023
What does it do: Requires public companies to disclose material cybersecurity events
Why was this law created: To clarify material reporting requirements to hold all public companies to the same standards
Potential Problems (or the law of unanticipated consequences which should have been anticipated): The main challenge for in-house counsel will be to determine whether a cybersecurity event is material or not, when an event changes from non-material to material, and how best to word the disclosure. [However, given the overturning of the Chevron precedent (which required courts to defer to a federal agency’s reasonable statutory interpretation), it is possible that SEC rules will be some of the first to be re-examined by the federal court system providing a huge advantage to corporate America wishing to rid itself of those pesky regulations.]