In July of 2023, the Securities and Exchange Commission (SEC) adopted final rules that require public companies to disclose material cybersecurity incidents they experience on an annual basis, as well as material information regarding their cybersecurity risk management, strategy, and governance. To protect shareholders, the SEC’s rule sought to provide investors with timely and accurate information about important risks to their investments arising from an all-too-common risk to companies—data breach.
The SEC has been addressing cybersecurity incidents for years, including guidance in 2011 and again in 2018. The 2023 rule, also sought to address the varying and erratic ways in which companies disclosed cybersecurity events. Specifically, the SEC noted in their December 23, 2023, statement: “Although public companies’ disclosure of material cybersecurity incidents and cybersecurity risk management and governance improved since the guidance was issued, disclosure practices have remained inconsistent.” (Emphasis added).
In other words, the SEC’s 2023 Rule was meant, in part, to provide both a consistent description of what must be disclosed and a timeline (within four business days of determining a cybersecurity incident to be material) of when disclosure must occur.
As companies began implementing the new rules, there has been some confusion around how these disclosures may prohibit or limit a company’s ability to discuss additional details of the incident with vendors, partners, or customers. For background, Regulation FD is an SEC rule that generally prohibits public companies from selectively disclosing material nonpublic information to certain people outside the company (i.e. to prevent “insider trading”). The concern, for many companies, was that Regulation FD would prevent the company from providing additional or more sensitive nonpublic information to other parties in the course and scope of responding to a cybersecurity incident. For example, would there be a violation of Regulation FD if a company needed to provide nonpublic information, not disclosed in a Form 8-K, to a forensic investigation company who is assisting the company in responding to an active incident?
As it turns out, the answer is no. This new guidance from the SEC clears up any lingering confusion by stating:
Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K. Those parties may include commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor. [The Division of Corporation Finance Director at the SEC, Erik Gerding] recognize[s] that sharing information about a material cybersecurity incident with those parties may assist with remediation, mitigation, or risk avoidance efforts and may facilitate those parties’ compliance with their own incident disclosure and reporting obligations, if required under the Commission’s rules or other regulatory regimes.
. . .
[N]othing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents. There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD. Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply. For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant) or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.
This clarification helps give companies peace of mind as they navigate what is often a stressful and hectic response to a cybersecurity incident. Nevertheless, the SEC’s guidance also reminds companies the importance of using trusted advisors, such as legal counsel, and ensuring that this information is shared pursuant to a well drafted confidentiality agreement or under another clearly documented exception or exclusion to Regulation FD.
Focused On Privacy 
Leave a comment