The Corp Fin Staff Speaks on Cyber and AI Disclosures: 5 Things

A few weeks ago, PLI held its annual "SEC Speaks" in DC and this year was more interesting than usual given all the rulemaking the SEC has done recently. [I worked in Corp Fin right out of law school in 1988 and back then, the entire Corp Fin was invited to attend the conference for free - hence the bulk of the audience was comprised of Staffers and then-Corp Fin Director Linda Quinn sat up front for the entire conference and gave us a master class in the securities laws as it applied to disclosure (at least, that's how I remember it).]

The big news is that the panels were freely available to all – for example, here's 9 hours of video from the first day of the conference and 8.5 hours of video from the second day. The SEC wants transparency from their guidance, as Commissioner Peirce noted in her remarks.

Here are a few of the lessons learned from Corp Fin Staff members (who were speaking in their own capacity per the traditional disclaimer):

1. Cyber Disclosures
   
   1. Remember that any disclosure of a cyber incident's material impact in an Item 1.05 Form 8-K should be qualitative as well as quantitative. You should provide qualitative disclosure even if the incident's harm isn't capable of being quantified yet. These types of disclosures should discuss the incident's impact on the company's reputation, competitiveness and customer or service provider relationships (subject to the materiality qualifier).
   
   2. When it comes to interpreting "without unreasonable delay" in Instruction 1 of Item 1.05 of Form 8-K, any change to a company's process and procedures that delays – including a change that is made to delay or postpone the materiality determination – might be determined to be an "unreasonable delay."
   
   3. To avoid being determined to have caused an "unreasonable delay," companies might not be able to wait for the investigation or fact gathering to be fully complete to make a materiality determination. Remember that Instruction 2 of Item 1.05 of Form 8-K allows companies to provide unavailable information later by amendment.
    
2. AI Disclosures
   
   4. The Corp Fin Staff gave us some large company stats: that 59% of annual reports filed by large accelerated filers made AI disclosure this year, up from 27% last year. 33% of filings included disclosures in both the business and risk factors sections.
   
   5. These are the type of issues to consider when making AI disclosures:

• Whether AI exposes a company to operational or regulatory risks
• Whether material AI risks – or AI disclosure overall – are tailored to facts and circumstances
• Whether there is support for claims about AI opportunities
• Whether the board's role in AI oversight should be described
• Whether the use of an AI risk management framework should be made
• Whether there are EU AI Act risks

Here's our blog about five takeaways from the SEC's Enforcement staff at this conference...