In a statement today, the Director of the SEC’s Division of Corporation Finance commented on the relatively new Form 8-K Item 1.05 requirement. Last summer when the SEC adopted the final rules relating to cybersecurity incidents, the rules included a new requirement under Item 1.05 of Form 8-K relating to the occurrence of an incident that the company had concluded was material. Division Director Gerding noted in his comments that, “[a]lthough the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident ‘that is determined by the registrant to be material,’ and, in fact, the item is titled ‘Material Cybersecurity Incidents.'”
As a result, he suggested that to the extent a company elects to disclose an incident as to which it has yet to make a materiality incident, it do so under a different item of Form 8-K, such as, for example, Item 8.01. If, after the passage of time, the incident is determined to be material, the company can make a filing under Item 1.05.
This is a very helpful clarification and one that he notes is not intended to discourage disclosure, but rather to avoid diluting the significance of the Form 8-K Item 1.05 disclosures.
See his full remarks.