Communicating with the SEC When Your Organization Suffers a Cybersecurity Incident

The Securities and Exchange Commission (SEC) has made clear—through its rulemaking, enforcement actions, public statements, and formidable “Crypto Assets and Cyber Unit” within the Division of Enforcement—that public companies are required to promptly assess the materiality of cybersecurity incidents and make swift disclosures of material incidents. Under the SEC’s final rule, within four business days after determining that a cyber incident is material, public companies must disclose the incident on new Item 1.05 of Form 8-K. The disclosure must describe the incident’s nature, scope, and timing, as well as its impact or reasonably likely impact on the company.[1] Public companies must also make periodic disclosures of the company’s process for identifying, assessing, and managing cyber risks, as well as cyber risk oversight by the Board of Directors and management. The SEC adopted similar disclosure requirements for foreign private issuers. These disclosure obligations will require companies to evaluate and adapt their disclosure controls and procedures, management processes, and governance structures around cybersecurity to prepare for the new environment of transparency.

While assessing the materiality of a cybersecurity incident, public companies should consider whether to report proactively the incident to the SEC in advance of any public disclosure and whether to cooperate with any ensuing SEC inquiry or investigation. On the one hand, proactive reporting of likely material cybersecurity incidents can build goodwill with the SEC and make clear from the outset that the organization is thoroughly investigating the incident. On the other hand, informing the SEC about an incident that turns out to be immaterial could expose the organization to expense, business disruption, and unwanted SEC scrutiny, particularly into the organization’s cybersecurity-related internal controls.

Here are four considerations in-house counsel should keep in mind in determining whether to proactively inform the SEC about a cybersecurity incident before making a formal public disclosure.

1. Open a dialogue with the SEC if early incident investigation indicates that the incident is likely material or significant.

Many public companies are near-daily victims of immaterial cybersecurity incidents. It would be a mistake to report every phishing scam your organization suffers to the SEC. That said, cooperation benefits can inure to your organization if you engage with the SEC early on regarding incidents that are likely material.

There is a misconception that issuers and registrants should only notify the SEC about a data breach after they have completed their investigations into the breach. For incidents that are likely to be deemed material or significant, the SEC values being notified promptly about a data breach, even when a reporting company is still sorting out what happened and whether the breach is material. Indeed, a reporting company is less likely to get SEC cooperation credit for working with the agency in the post-breach investigation process if the SEC first finds out from another source that the organization suffered a breach.

Another important consideration is whether your company is communicating with other law enforcement agencies about an incident that is likely material. The SEC’s final cyber rule has a limited law enforcement exception, that is, an exemption from disclosure due to an ongoing law enforcement investigation by another government agency. Public companies can delay filing of a Form 8-K disclosure of a material cyber incident if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. For public companies that need to take advantage of this law enforcement exception, proactive cooperation with the SEC (and the FBI) is prudent because the SEC will find out about the incident anyway via the exception process. Communicating with the SEC about a cybersecurity incident during the pendency of any materiality analysis should not generally compromise the confidentiality of any other law enforcement investigations.

2. Open the dialogue involving the right people.

Experience counts when notifying the SEC about a cybersecurity incident, for both the organization and the SEC staff. To place your organization in the best possible position when engaging with the SEC, it is essential to retain counsel who know who to contact within the SEC and what information the SEC staff will seek, and who have a rapport with the staff. It is also essential that counsel have a plan regarding how to keep the SEC apprised without waiving privilege over an internal incident investigation. Similarly, it is extremely important to open the dialogue with SEC staff with cybersecurity expertise.

3. The SEC will want an update on your incident investigation and remediation plan.

Opening a dialogue with the SEC means being prepared to inform the agency of your organization’s current understanding of what has happened, what information has been compromised, and how the incident has affected (or is affecting) your business operations. The SEC will also want to know if the incident is ongoing or has been contained, and whether it has been remediated. At this early stage, before a materiality determination has been made, it is critical to share only facts that your organization knows, as opposed to what you hope will happen. Remember, your incident investigation will nearly always be privileged: share facts, not analysis.

The SEC will also want to know whether your organization is complying with its cybersecurity incident policies and procedures, whether you anticipate making a disclosure to investors (and, if not, why), and what steps you have taken to prevent insider trading on the basis of potentially material non-public information about the incident. It is critical that your organization have bespoke policies and procedures that ensure that information about an incident is appropriately escalated to senior management and others responsible for conducting materiality and disclosure analyses. The SEC’s 2018 cybersecurity guidance also makes clear that organizations must tailor disclosure controls and procedures to the known cybersecurity risks.

4. Do not jump the gun when discussing materiality with the SEC.

The SEC’s final cyber rule, enforcement actions, and public statements make clear that organizations must promptly assess the materiality of cybersecurity incidents. Public companies must promptly assess materiality and disclose material incidents on Form 8-K within four business days of a materiality determination (absent a law enforcement exception). That said, a materiality analysis is fact-intensive, requires an incident investigation, and is nearly always privileged. Promptly mobilize your organization to analyze whether the incident is material or significant, as applicable, but understand that this could take time depending on the facts and circumstances.

Moreover, due to information-sharing among law enforcement agencies, the SEC often has information about trending cybersecurity threats that victim organizations do not. This potential information imbalance presents another reason to maintain a dialogue with the SEC as you get your arms around the facts and circumstances of your incident—as the SEC may be able to take steps to protect investors that will inure to your benefit later—but also underscores the need to avoid offering conclusions based on a less‑complete understanding of relevant facts than the SEC may already have.

5. Prepare to act quickly if your incident is material.

Finally, your incident investigation plan should include steps for how quickly you will both inform the SEC and disclose your incident to the public, if your organization deems the incident to be material or significant, as applicable.

[1] After the final rule was announced, certain companies disclosed non-material incidents on Form 8-K. Recent guidance from the SEC’s Division of Corporation Finance counsels that only material cybersecurity incidents should be disclosed under Item 1.05 of Form 8-K. If a company chooses to voluntarily disclose cybersecurity incidents that are not material or for which materiality has not yet been determined, they are encouraged to make such disclosures under a different item of Form 8-K, such as Item 8.01.