SEC staff issues guidance for reporting cybersecurity incidents under Item 1.05 versus Item 8.01 of Form 8-K

On May 21, 2024, the Director of the SEC’s Division of Corporation Finance issued a statement providing guidance on the use of Item 1.05 of Form 8-K to disclose cybersecurity incidents.

Although the statement did not discuss the results of the Staff’s review of recent practice, our informal survey of the 26 Form 8-Ks filed under Item 1.05 through mid-May (including amendments of prior filings) showed fewer than five disclosed a determination of materiality, with the rest –more than 80% – disclosing that (1) no determination had yet been made or (2) there had been no material impact or that no material impact was reasonably expected.

Don’t use Item 1.05 for immaterial incidents; use another Item, such as 8.01, for voluntary disclosures – including where materiality is uncertain 

The Director encourages the use of a different Form 8-K item for disclosure (for example Item 8.01) for incidents that have not yet been determined to be material – or that have been found to be immaterial.  The SEC Staff is concerned that excessive use of Item 1.05 creates risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa, and dilute the value of Item 1.05 disclosures of material incidents.

The Staff does not want to discourage companies from making voluntarily disclosures where they have not yet determined materiality, or from disclosing incidents determined to be immaterial.  If a company later determines that the incident is material, then it should file an Item 1.05 8-K within four business days of such determination. That 8-K may refer to the earlier 8-K disclosure, but the company would need to ensure the subsequent disclosures satisfy the requirements of Item 1.05.

Timing of determination of materiality versus determination of impact; use Item 8.01 until finding of materiality and then amend 8-K to report under Item 1.05

As discussed in our July 26, 2023 post, companies should determine materiality based on all relevant factors, including quantitative and qualitative factors such as:

• Financial condition and results of operations
• Harm to a company’s reputation, customer or vendor relationships, or competitiveness
• The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities

In some cases, the incident may be so significant that it’s clearly material even if the company has not yet determined its impact.  In those cases, the company should disclose the incident under Item 1.05 and expressly state that the company has not yet determined the impact (or reasonably likely impact).  It should then amend the 8-K to disclose the impact once that information is available.  The initial 8-K should cover the material aspects of the nature, scope, and timing of the incident, even if the company is unable to determine its impact at that time.

To avoid doubt, the Staff stated:

“[A] company that discloses a cybersecurity incident under Item 8.01 of Form 8-K for which it has not yet made a materiality determination is still subsequently required, under Item 1.05 of Form 8-K, to determine, without unreasonable delay, whether the incident was material."