Corp Fin Clarifies That Companies Can Share Cyber Incident Information With Third-Parties Beyond 8-K Disclosure

Following on the heels of his statement last month clarifying that companies should not file Form 8-K under Item 1.05 in connection with a cybersecurity incident that they have determined isn't material or for which they have not yet made a materiality determination, Corp Fin Director Erik Gerding issued this statement last week clarifying that disclosure of material cybersecurity incidents on an Item 1.05 Form 8-K doesn't preclude companies from sharing information beyond that disclosed in the 8-K with others, including contractual counterparties.

Director Gerding notes that Regulation FD offers various alternatives for sharing this information without raising selective disclosure concerns, such as:

• The information is not material
• The recipient isn't one of the types of persons covered by Reg FD
• There is an exclusion from Reg FD, such as the recipient has a duty of trust or confidence to the company (such as an attorney, investment banker, or accountant) or the person with whom the information is being shared expressly agrees to maintain the disclosed information in confidence (e.g., by entering into a confidentiality agreement with the company)