SEC Cybersecurity Reporting: Latest Updates and Guidelines
As we approach the one-year mark since the SEC’s reporting rules on Form 8-K for material cybersecurity incidents went into effect, let’s take a look at what has transpired over the past year.
Background on SEC Reporting Rules:
The SEC’s rules state that public companies in the United States must disclose material cybersecurity incidents within four business days of determining that the incident is material. This disclosure should include details on the nature, scope, timing of the incident, and its impact on the company’s financial condition and operations. A cybersecurity incident is defined as an unauthorized occurrence on or through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of the information.
The Impact of Cybersecurity Incidents:
Materiality is determined by balancing the probability of an event happening against its potential magnitude in relation to the company’s activities. Factors such as financial impact, harm to reputation, relationships, competitiveness, and legal consequences are considered in this assessment. There is no clear-cut test for materiality, and both quantitative and qualitative aspects are taken into account.
Disclosures of Cybersecurity Incidents:
To date, 24 companies have disclosed material cybersecurity incidents under Item 1.05 of Form 8-K. Some companies have reported incidents under different items of Form 8-K or in other SEC filings. Only one company sought a filing delay through a special SEC procedure.
SEC Guidance and Enforcement Actions:
The SEC has provided guidance to help companies refine their disclosure practices. Settlements have been reached with four companies for misleading cybersecurity disclosure. The SEC has issued comment letters to companies disclosing incidents under Item 1.05, seeking clarification on the materiality of the events.
Looking Ahead:
As companies continue to navigate these reporting requirements, it appears that the SEC prefers material cybersecurity incidents to be disclosed under Item 1.05 and non-material incidents to be discussed elsewhere. Each incident is unique and must be evaluated individually.
In conclusion, the past year has seen significant developments in how companies report cybersecurity incidents to the SEC. As we move forward, it will be crucial for companies to carefully assess the materiality of such events and ensure accurate and timely disclosure in compliance with SEC regulations.