Confused by the SEC’s breach reporting rules? Read this

Confused by the SEC's breach reporting rules? Read this

May 22, 2024 at 12:40PM

The SEC has clarified guidelines for public companies regarding ransomware and cybersecurity incident disclosures. Public firms must report “material” cyber intrusions under Form 8-K, Item 1.05. For immaterial incidents or those lacking a materiality determination, use Form 8-K, Item 8.01. SEC aims to help investors distinguish between the two for informed decision-making.

From the meeting notes, it is clear that the US Securities and Exchange Commission (SEC) is seeking to provide clarity on the guidelines for public companies in disclosing ransomware and cybersecurity incidents. The key points are:

1. Public companies are required to disclose material cybersecurity incidents under Item 1.05 of Form 8-K, if the incident has a financial impact or is information investors should know before making investment decisions.
2. For incidents that have not been determined as “material” or are specifically stated as not material, companies should fill out Item 8.01 of Form 8-K.
3. The SEC’s Erik Gerding emphasized the importance of distinguishing between material and non-material cybersecurity incidents, highlighting the potential impact on investor decisions.
4. The distinction between Form 8-K filings under Item 1.05 and Item 8.01 is intended to help investors make more informed decisions regarding material cybersecurity incidents.

In summary, companies should use Form 8-K, Item 1.05 for material cybersecurity incidents and Form 8-K, Item 8.01 for incidents that are not yet determined as material or are voluntary disclosures. This distinction aims to provide better transparency for investors when making financial and voting decisions.

Full Article