[*]Last year, the Commission adopted rules requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.[1]  Since then, staff in the Division of Corporation Finance have heard assertions that those rules may preclude a company from sharing additional information about a material cybersecurity incident with others, including their commercial counterparties.  Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  That is not the case.

Item 1.05 of Form 8-K requires a company that experiences a cybersecurity incident that it determines to be material to describe the material aspects of the nature, scope, and timing of the incident, as well as the incident’s material impact or reasonably likely material impact on the company, including its financial condition and results of operations.  Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.[2]  Those parties may include commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor.[3]  I recognize that sharing information about a material cybersecurity incident with those parties may assist with remediation, mitigation, or risk avoidance efforts and may facilitate those parties’ compliance with their own incident disclosure and reporting obligations, if required under the Commission’s rules or other regulatory regimes.

I also recognize that companies could conceivably have concerns that privately disclosing additional information regarding a material cybersecurity incident beyond what was included in an Item 1.05 Form 8-K could implicate the Commission’s rules regarding selective disclosures that are set forth in Regulation FD.  It is important to reiterate the scope of Regulation FD.[4]  As is well-known, Regulation FD requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, as specified in the regulation.[5]  Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD. 

That said, nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents.  There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD.  For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.[6]  Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply.[7]  For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant)[8] or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer),[9] then public disclosure of that privately-shared information will not be required under Regulation FD.

While some companies may have a general reticence to privately share information regarding a material cybersecurity incident, as discussed earlier, the Commission’s rules generally do not prohibit the sharing of such information.  The selective disclosure rules in Regulation FD were adopted over 20 years ago.[10]  As such, public companies and their attorneys should be well-versed in navigating those rules, and, if the scope and requirements of those rules are heeded, they should not pose an undue impediment to the mutually beneficial sharing of information regarding material cybersecurity incidents.