We’ve known for some time that Corp Fin is reviewing Form 8-Ks filed after a company experiences a cybersecurity incident – including whether those 8-Ks should be filed under Item 1.05 or Item 8.01. These reviews have happened side-by-side with three tranches of guidance from the staff regarding cybersecurity incident 8-Ks, including:
- Corp Fin Director Erik Gerding’s statement clarifying that companies should not file Form 8-Ks under Item 1.05 in connection with a cybersecurity incident that they have determined isn’t material or for which they have not yet made a materiality determination.
- Another statement from Erik Gerding clarifying that disclosure of material cybersecurity incidents on an Item 1.05 Form 8-K doesn’t preclude companies from sharing information beyond that disclosed in the 8-K with others, including contractual counterparties.
- These five new CDIs (104B.05, 104B.06, 104B.07, 104B.08 and 104B.09) on Item 1.05 Form 8-Ks.
Now, the Corp Fin staff has uploaded an interesting publicly available comment letter about this Form 8-K that has these notable features:
- Form 8-K was delayed in being filed because the DOJ determined it was justified – In its comment letter, Corp Fin doesn’t question whether the delay – that the DOJ blessed twice – was justified or not. You may recall that Item 1.05(c) provides a framework for delaying the filing of an Item 1.05 Form 8-K if the US attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
- A single comment about clarifying whether the incident is material – The staff’s comment letter questioned whether the company had determined the cybersecurity incident was material, since the company filed under Item 1.05 but only disclosed that the incident was not reasonably likely to materially impact its financial condition and results of operations, and did not indicate if there were qualitative factors that were reasonably likely to have a material impact on the company.
- A longer than usual “review complete” letter – The first bullet in this “review complete” letter is worth reading in total, but we break out the interesting parts below.
- “Review complete” letter sort of reads like a follow-up comment letter – This middle part of the first bullet responds to the argument that the company made in its response letter that the incident was determined to be “material” but that it was not reasonably likely to have a “material impact”:
“[D]espite your conclusion that you did not believe that there was any material impact or reasonably likely material impact as a result of the incident, your response states that ‘the Company concluded that, particularly with the reputational and customer perception risks associated with the incident, information about the incident would significantly alter the total mix of information made available and that there was a substantial likelihood that a reasonable shareholder would consider information about the incident to be important in making a voting or investment decision.’ We again call your attention to the Commission’s statement in the adopting release that Item 1.05’s inclusion of ‘financial condition and results of operations’ is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. For example, consider impacts on customer relationships, competitiveness, and potential reputational harm related to the cybersecurity incident.”
The first bullet ends with, “It appears inconsistent to conclude that an incident is material because of ‘reputational and customer perception risks associated with the incident’ but that the incident has not had, and is not reasonably likely to have, any material impacts on the company, including with respect to the company’s reputation and customer perception.”
In light of this unusual “review complete” letter, companies should continue to expect the staff to question Item 1.05 disclosures that simply indicate that the incident is not reasonably likely to have a material impact on their financial condition and results of operations without addressing any qualitative factors that were determined to be material.
Authored by
Broc Romanek