The Securities and Exchange Commission (SEC) recently published updated guidance for public companies on how and when to disclose cybersecurity incidents.
Issued as a follow-up to new rules adopted by the commission last year, the updated guidance is intended to provide businesses with increased clarity on how to report security breaches as well as minimize confusion among investors about what constitutes a “material” incident.
Here’s everything you need to know about the updates.
The SEC’s new rules on the disclosure of “material” cybersecurity incidents by public companies were first adopted in July 2023. The SEC defines material incidents as those that a “reasonable shareholder” would likely consider “important in an investment decision.”
For public companies, this means considering quantitative and qualitative factors, including:
Public companies that experience a material cybersecurity incident are required to disclose the nature, scope, timing, and impact (or likely impact) of the incident under Item 1.05 of Form 8-K within four business days of determining its materiality.
According to the SEC’s latest statement, organizations are able to amend the Form 8-K if additional information about the impact of an incident becomes available.
Nearly one year after these rules were adopted, Erik Gerding, director of the SEC’s division of corporation finance, issued a statement clarifying that companies should not use Item 1.05 of Form 8-K for voluntary disclosures. Item 1.05 is only meant for disclosing incidents that have been deemed material.
“If all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa,” Gerding said.
Instead, companies should use a different item of Form 8-K for immaterial incidents. The SEC says:
The only exception noted by the SEC comes in cases when “immediate disclosure would pose a substantial risk to national security or public safety,” as determined by the U.S. Attorney General.
In his statement, Gerding said the updated guidance is not meant to discourage companies from voluntarily disclosing cybersecurity incidents that have been deemed immaterial or for which a materiality determination has not yet been made.
“Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion,” Gerding said.
“I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies,” he added, “and this statement is not intended to disincentivize companies from making those disclosures.”
In fact, organizations that want to show customers and stakeholders that they are committed to data security and privacy should prioritize transparency, especially in the wake of a breach.
In addition to reporting the incident through the proper legal channels, maintaining open lines of communication with stakeholders is crucial. Brianna Plush, a senior consultant at BARR Advisory, suggests appointing a designated liaison who can communicate with customers about the incident.
“Every data breach, regardless of its size or scope, impacts customer trust. Rebuilding that trust requires open, transparent communication about what happened, why it happened, and what steps the organization is taking to mitigate the risk of future threats,” Plush said.
With our separate consulting and attestation practices, BARR Advisory is ready to help with every step of your cybersecurity journey, from managing incident disclosures to achieving and maintaining compliance. Contact us today to learn more.