Corp Fin Director Erik Gerding Issues “Cyber Materiality” Statement

Yesterday, Corp Fin Director Erik Gerding issued a statement to clarify that a company should not file Form 8-K under Item 1.05 in connection with a cybersecurity incident that it has determined is not material or for which it has not yet made a materiality determination. As clarified in the statement, if a company decides to make a Form 8-K disclosure regarding a cybersecurity incident that it has not (or not yet) determined to be material, that disclosure should be made under Item 8.01 instead.

Here are 4 key points from Director Gerding's statement:

1. Companies are not discouraged from filing voluntary Form 8-Ks regarding cybersecurity incidents that are not material or for which a materiality determination has not been made. These voluntary disclosures have value to investors, the marketplace and the companies.
   
    
2. This clarifying statement is intended to encourage practices that will help avoid investor confusion or dilution of the value of Item 1.05 – as a clear indication that a company has determined that an incident is material.
   
    
3. If a company makes an Item 8.01 disclosure regarding an incident and later determines that the incident is material, the Item 1.05 disclosure is triggered by that determination and must be made within 4 business days of the determination. The company may need to add to its disclosure in the second Form 8-K to satisfy the requirements of Item 1.05.
   
    
4. There may still be instances where Item 1.05 disclosure is triggered before a company has determined the impact of the event. In that case, the statement notes that "the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company's inability to determine the incident's impact (or reasonably likely impact) at that time."