Yesterday, Corp Fin Director Erik Gerding issued a statement to clarify that a company should not file Form 8-K under Item 1.05 in connection with a cybersecurity incident that it has determined is not material or for which it has not yet made a materiality determination. As clarified in the statement, if a company decides to make a Form 8-K disclosure regarding a cybersecurity incident that it has not (or not yet) determined to be material, that disclosure should be made under Item 8.01 instead.

Here are 4 key points from Director Gerding’s statement:

  1. Companies are not discouraged from filing voluntary Form 8-Ks regarding cybersecurity incidents that are not material or for which a materiality determination has not been made. These voluntary disclosures have value to investors, the marketplace and the companies.

  2. This clarifying statement is intended to encourage practices that will help avoid investor confusion or dilution of the value of Item 1.05 – as a clear indication that a company has determined that an incident is material.

  3. If a company makes an Item 8.01 disclosure regarding an incident and later determines that the incident is material, the Item 1.05 disclosure is triggered by that determination and must be made within 4 business days of the determination. The company may need to add to its disclosure in the second Form 8-K to satisfy the requirements of Item 1.05.

  4. There may still be instances where Item 1.05 disclosure is triggered before a company has determined the impact of the event. In that case, the statement notes that “the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available. The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.”
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Allison Handy Allison Handy

Allison Handy is the firmwide co-chair of the Corporate & Securities practice. Her extensive experience includes advising public and private companies in connection with corporate governance practices, disclosure issues, and capital markets transactions, such as equity offerings, debt offerings and tender offers. She…

Allison Handy is the firmwide co-chair of the Corporate & Securities practice. Her extensive experience includes advising public and private companies in connection with corporate governance practices, disclosure issues, and capital markets transactions, such as equity offerings, debt offerings and tender offers. She is also a leader of the firm’s Environmental, Social, and Governance advisory team.

Allison provides counsel to companies on a broad range of issues faced by management and directors in connection with the many compliance aspects of securities laws, including governance rules adopted by the Securities and Exchange Commission (SEC) and stock exchanges. She advises boards and committees in matters related to internal investigations and the efforts of shareholder activists, and works closely with in-house counsel, financial personnel, and outside auditors and advisors to help her clients prepare proxy statements and other reports to investors that meet complex disclosure obligations.