SEC Chimes in on Early Cybersecurity Disclosures

Earlier this year, we offered readers three lessons from the initial wave of disclosures made under new cybersecurity rules issued by the Securities and Exchange Commission in 2023. For example, we saw companies attempting to frame what could be interpreted as damaging revelations about online hacks of their networks into commentaries on their robust cyber defense systems. One of our observations was that companies were struggling to come to a consensus on what constitutes material information for investors when it comes to cybersecurity events. Apparently, that uncertainty is causing headaches for the SEC.

Last month, the director of the SEC Division of Corporation Finance, Erik Gerding, released a statement trying to provide some clarity regarding how registered companies should abide by the rule. Gerding encouraged issuers to take a different approach to nonmaterial incidents or those in which they have yet to make a call on materiality. Specifically, when they file a Form 8-K to disclose such an incident, corporations should do so under something besides Item 1.05, which is titled “Material Cybersecurity Incidents.”

“I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies, and this statement is not intended to disincentivize companies from making those disclosures,” Gerding said. “Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures regarding material cybersecurity incidents.”

The mere fact the SEC felt compelled to issue such a statement indicates the signal-to-noise ratio of material disclosures versus non-material ones is low. In a memo prompted by Gerding’s statement, lawyers from Bryan Cave Leighton Paisner LLP said a survey of more than two dozen 8-K filings under Item 1.05 this year turned up “fewer than five” disclosures of materiality.

Gerding also tried to offer some pointers on evaluating materiality. Unfortunately, the language was no less vague than other efforts to help issuers get a better grip on the concept in relation to cybersecurity. Gerding urged companies to make disclosure decisions based on “all relevant factors,” emphasizing that evaluation involves more than the impact of an incident on “financial condition and results of operation.”

But at least one company hasn’t been forthright enough about its cybersecurity, according to the SEC. In May, the commission announced it had struck a $10 million deal with The Intercontinental Exchange Inc. to settle charges the company failed to tell the SEC and ICE’s nine subsidiaries for “several days” about a cyberattack on its computer systems in April 2021. (ICE’s subsidiaries include the New York Stock Exchange.) Consequently, the subsidiaries couldn’t fulfill their own responsibilities to inform the SEC about the security breach in a timely manner.

“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” said Gurbir S. Grewal, head of the SEC’s Division of Enforcement, in a statement chastising ICE for the disclosure delay.

To be fair, ICE’s indiscretions predated the new cybersecurity disclosure rules. The SEC will eventually find an opportunity to make an example of a company that is too lax about its standards for disclosure, though. Rest assured the agency won’t hesitate to disclose that to the public when it does.