Selective Disclosure of Information Regarding Cybersecurity Incidents
[*]Last year, the Commission adopted rules requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.[1] Since then, staff in the Division of Corporation Finance have heard assertions that those rules may preclude a company from sharing additional information about a material cybersecurity incident with others, including their commercial counterparties. Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident. That is not the case.
Item 1.05 of Form 8-K requires a company that experiences a cybersecurity incident that it determines to be material to describe the material aspects of the nature, scope, and timing of the incident, as well as the incident’s material impact or reasonably likely material impact on the company, including its financial condition and results of operations. Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.[2] Those parties may include commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor.[3] I recognize that sharing information about a material cybersecurity incident with those parties may assist with remediation, mitigation, or risk avoidance efforts and may facilitate those parties’ compliance with their own incident disclosure and reporting obligations, if required under the Commission’s rules or other regulatory regimes.
I also recognize that companies could conceivably have concerns that privately disclosing additional information regarding a material cybersecurity incident beyond what was included in an Item 1.05 Form 8-K could implicate the Commission’s rules regarding selective disclosures that are set forth in Regulation FD. It is important to reiterate the scope of Regulation FD.[4] As is well-known, Regulation FD requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, as specified in the regulation.[5] Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD.
That said, nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents. There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.[6] Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply.[7] For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant)[8] or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer),[9] then public disclosure of that privately-shared information will not be required under Regulation FD.
While some companies may have a general reticence to privately share information regarding a material cybersecurity incident, as discussed earlier, the Commission’s rules generally do not prohibit the sharing of such information. The selective disclosure rules in Regulation FD were adopted over 20 years ago.[10] As such, public companies and their attorneys should be well-versed in navigating those rules, and, if the scope and requirements of those rules are heeded, they should not pose an undue impediment to the mutually beneficial sharing of information regarding material cybersecurity incidents.
[*] This statement is provided in the author’s official capacity as the Commission’s Director of the Division of Corporation Finance but does not necessarily reflect the views of the Commission, Commissioners, or other members of the staff. This statement is not a rule, regulation, or statement of the Commission. The Commission has neither approved nor disapproved its content. This statement, like all staff statements, has no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person.
[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896 (Aug. 4, 2023)] (“Adopting Release”). I issued two previous statements on these rules, the first of which I issued last December, available at https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214, and the second of which I issued in May, available at https://www.sec.gov/news/statement/gerding-cybersecurity-incidents-05212024.
[2] See Adopting Release at 51906 (noting that companies “should continue sharing information with other companies or government actors about emerging threats . . . and a decision to share information with other companies or government actors does not in itself necessarily constitute a determination of materiality” and stating that a company “may alert similarly situated companies as well as government actors immediately after discovering an incident and before determining materiality, so long as it does not unreasonably delay its internal processes for determining materiality”).
[3] Those parties also may include law enforcement and national security agencies. As I noted in my December statement, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the Federal Bureau of Investigation (“FBI”), the Cybersecurity & Infrastructure Security Agency (“CISA”), or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed, and I encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur.
[4] 17 CFR Part 243.
[5] See 17 CFR 243.100(a) and (b)(1).
[6] See 17 CFR 243.100(b)(1) (listing the persons to whom Regulation FD applies, including brokers or dealers, investment advisers, investment companies, and holders of the issuer’s securities, subject to certain exclusions set forth in paragraph (b)(2)).
[7] See 17 CFR 243.100(b)(2) (setting forth the exclusions from Regulation FD’s requirement to publicly disclose any material nonpublic information that has been selectively disclosed to the persons listed in paragraph (b)(1)).
[8] See 17 CFR 243.100(b)(2)(i).
[9] See 17 CFR 243.100(b)(2)(ii).
[10] Selective Disclosure and Insider Trading, Release Nos. 33-7881; 34-43154; IC-24599 (Aug. 15, 2000) [65 FR 51715 (Aug. 24, 2000)].
Last Reviewed or Updated: June 27, 2024