SEC clarifies rules on selective disclosure of cybersecurity incidents
On 20 June 2024, Erik Gerding, Director of the Division of Corporation Finance at the US Securities and Exchange Commission (SEC), issued a statement addressing the selective disclosure of information regarding material cybersecurity incidents. This follows the SEC’s adoption of rules last year requiring public companies to disclose such incidents under Item 1.05 of Form 8-K.
Gerding clarified that these rules do not preclude companies from sharing additional information about a material cybersecurity incident with their commercial counterparties. Despite misconceptions, the SEC’s new rules do not restrict companies from discussing the incident beyond what is included in the Form 8-K disclosure. Sharing details with vendors, customers, or other impacted companies can aid in remediation and compliance with regulatory requirements.
The statement also addressed concerns about Regulation Fair Disclosure (Regulation FD), which mandates public disclosure of any material nonpublic information selectively shared with market professionals or shareholders. Gerding emphasised that Regulation FD does not prevent private sharing of material cybersecurity information, provided the information is either immaterial or shared with parties not covered by Regulation FD. Furthermore, disclosures made under confidentiality agreements or to individuals with a duty of trust do not require public disclosure under Regulation FD.
Transparent and compliant communication about cybersecurity incidents is essential for maintaining trust and mitigating risks in the financial ecosystem. Enhanced clarity on disclosure regulations supports the broader goal of high-quality, reliable financial reporting, essential for informed decision-making by investors and stakeholders. Makes sense to us.
For more details, read the statement here.
