On May 21, 2024, the SEC criticized the practice of the “non-material” materiality filing, asserting that “it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.” [1]
The SEC is advising companies to discontinue the practice of reporting non-material incidents under Item 1.05 of form 8-K. Rather, the SEC advises companies that seek to disclose immaterial cybersecurity incidents, or incidents not yet determined to be material, to report under Item 8.01 of Form 8-K, so that investors are informed, but not confused, by the reporting.[2] This tactic will force companies to have to make a clear choice during an incident. If the “material to the investor” threshold is reached, then an Item 1.05 notice is required. If a company seeks to put investors on notice, but has not yet made a determination, it may use the more general “catch-all” Item 8.01.
The SEC rule is clear – notices must be filed within 4 days of a company making a determination that an incident is material. As SEC Chair Gary Gensler said when the Final Rule was released,
I am guided by the concept of materiality. Our markets depend on a basic bargain: Investors get to decide which risks to take so long as companies raising money from the public make full, fair, and truthful disclosure. Thus, if an issuer has a material cyber incident, then under today’s final rules, the issuer will need to disclose material information about that material incident.
Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.[3]
The Securities and Exchange Commission (SEC) is not interested in publicly traded companies seeking to hedge whether an incident is material by filing a notice under the recent cybersecurity regulation, but asserting in the filing that the incident is not material.
Since the cyber incident reporting rule went into effect in December 2023, there have been 15 Cybersecurity 8-K Item 1.05 notices filed.[4] Several major companies have used this tactic since the rule went into effect, prompting the SEC’s clarification.
[2] Id.
[3] SEC.gov | Statement on Public Company Cybersecurity Disclosures
[4] A nice resource to keep track of Cyber 8-K’s is in the Debevoise Data Blog. A big thanks to the associates that scour the filings and keep that information organized and up to date. We all appreciate it! 8-K Item 1-05 – Material Cybersecurity Incidents Tracker-5.10 (debevoisedatablog.com)