Matthias Knab, Opalesque: Erik Gerding, Director, Division of Corporation Finance has published the following comment on the US Securities Commission's requirements on disclosing cybersecurity incidents:
The Commission's cybersecurity rules mandate public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. If a company discloses a cybersecurity incident without determining its materiality, or deems it immaterial, the Division recommends using a different item on Form 8-K (e.g., Item 8.01). Item 1.05 is intended for material incidents only, and voluntary filings here may confuse investors.
Companies are not discouraged from voluntarily disclosing cybersecurity incidents, but such disclosures should avoid confusion and maintain the significance of Item 1.05 for material incidents. Differentiating filings under Item 1.05 for material incidents and Item 8.01 for others helps investors make informed decisions.
If an immaterial incident, later determined material, was initially disclosed under Item 8.01, the company must file an Item 1.05 Form 8-K within four business days of this determination. This subsequent filing should reference the earlier Item 8.01 disclosure and meet Item 1.05 requirements.
Companies should consider all relevant factors when determining an incident's materiality, beyond just financial impact. This includes potential harm to reputation, relationships, competitiveness, and possible legal or regula...................... To view our full article Click here
|