A senior SEC official recently clarified that the agency’s cybersecurity breach reporting requirements are not intended for voluntary disclosure of “immaterial” incidents.
The rules require public companies to report a “material” cybersecurity incident to the SEC in an Item 1.05 Form 8-K within four days of determining the breach is material.
The disclosure must describe the material aspects of the nature, scope and timing of the incident, as well as its “material impact or reasonably likely material impact.”
“[I]f all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa,” the SEC official said.