On May 21, 2024, the U.S. Securities and Exchange Commission (“SEC”) published interpretive guidance on reporting material cybersecurity incidents under Form 8-K. Lawyers at Hunton Andrews Kurth comment:
Since December 18, 2023, when the SEC’s rules for reporting material cybersecurity incidents under Item 1.05 on Form 8-K took effect, we have identified 17 separate companies that have made disclosures under the new rules. Since that date, several other companies also have made disclosures regarding cybersecurity incidents under other Form 8-K items. A large majority of those companies reporting under Item 1.05 have either not yet determined that the triggering incident was material, or determined that the event was in fact immaterial.
This phenomenon has not gone unnoticed at the SEC, and it has created a great deal of discussion in the investor community as well as among the securities bar. Eric Gerding, Director of the SEC’s Division of Corporation Finance (which oversees public company disclosure), released remarks on May 21 encouraging companies to be more judicious in their disclosure under Item 1.05. Gerding was clear that Item 1.05 should generally not be used for immaterial events:
Read more of the law firm’s commentary on their Information & Security Law Blog.