SEC staff statement on cybersecurity incidents

This week, the Division of Corporation Finance released a statement clarifying the form and content of disclosures of cybersecurity incidents on Form 8-K. While a July 2023 rule requires disclosure of material cyber incidents on Item 1.05 (Material Cybersecurity Incidents) of Form 8-K, a company may elect to voluntarily disclose a cyber incident it has determined was not material or an incident for which it has not yet made a materiality determination. The statement encourages companies to make these voluntary disclosures under Item 8.01 (Other Events) of Form 8-K instead of Item 1.05. Then, if a company later concludes that the incident is material, it must file an Item 1.05 Form 8-K within four business days of that materiality determination. The statement also reminds companies of the factors that should be considered in the materiality assessment.

For more on the disclosure rules, read SEC adopts cybersecurity disclosure rules. For more on the materiality assessment for cyber incidents, read Making materiality judgments in cybersecurity incident reporting.
Expand Expand

Welcome to Viewpoint, the new platform that replaces Inform. Once you have viewed this piece of content, to ensure you can access the content most relevant to you, please confirm your territory.

signin option menu option suggested option contentmouse option displaycontent option contentpage option relatedlink option prevandafter option trending option searchicon option search option feedback option end slide