Selective Disclosure of Information Regarding Cybersecurity Incidents

Selective Disclosure of Information Regarding Cybersecurity Incidents

By Prathamesh 2 July, 2024

June 20, 2024

The Commission adopted rules requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.[1] Since then, staff in the Division of Corporation Finance have heard assertions that those rules may preclude a company from sharing additional information about a material cybersecurity incident with others, including their commercial counterparties. Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident. That is not the case.

Item 1.05 of Form 8-K requires a company that experiences a cybersecurity incident that it determines to be material to describe the material aspects of the nature, scope, and timing of the incident, as well as the incident’s material impact or reasonably likely material impact on the company, including its financial condition and results of operations. Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.[2] Those parties may include commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor.

Also recognize that companies could conceivably have concerns that privately disclosing additional information regarding a material cybersecurity incident beyond what was included in an Item 1.05 Form 8-K could implicate the Commission’s rules regarding selective disclosures that are set forth in Regulation FD. It is important to reiterate the scope of Regulation FD.[4] As is well-known, Regulation FD requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, as specified in the regulation.[5] Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD.

To find out more details please visit :