At Northwestern Law’s 44th Annual Ray Garrett Jr. Corporate & Securities Law Institute, Erik Gerding, Director of the SEC’s Division of Corporation Finance, discussed the Securities and Exchange Commission’s final rules relating to cybersecurity risk management, strategy, governance, and incident disclosure (the “Final Rules”). The Final Rules require public companies to timely report material cybersecurity incidents and provide annual disclosures  about their cybersecurity risk management processes. Specific details regarding the information required, along with the timing and method of disclosure, are summarized in our Legal Update.   

In his remarks, Director Gerding acknowledged that the SEC staff is undertaking targeted selective reviews of public companies’ disclosures under the Final Rules and provided some initial observations on such disclosures. In particular, he noted some companies’ reliance on overly generic or boilerplate language in their cybersecurity disclosures. The SEC expects companies to provide detailed, company-specific information that helps investors understand the actual risks and incidents being reported. This approach supports the SEC’s broader goal of promoting meaningful disclosures that investors can rely on to make informed decisions.

Director Gerding also emphasized that the Final Rules are not aimed at changing corporate behavior or prescribing particular cybersecurity defenses, risk management practices, or governance. Rather, they are focused on improving the quality of the information companies provide, ensuring that investors receive accurate, comparable, and comprehensive disclosures about cybersecurity.

Director Gerding recapped some of the recent guidance issued by the Division of Corporation Finance with respect to compliance with the Final Rules, including the May 2024 statement on reporting cybersecurity incidents that a company either has not yet determined to be material or has determined was not material. The SEC staff had concerns that some of the early Form 8-K filings under Item 1.05 of the new rules used ambiguous disclosure language that potentially could leave investors uncertain as to whether a company had determined the materiality of a cybersecurity incident. The staff guidance was intended to address this concern, and recommends that voluntary filings on incidents not (or not yet) deemed material should be disclosed under Item 8.01, rather than Item 1.05. This distinction is important because it helps allow investors to distinguish between material and non-material incidents and factor that information in to their investment and voting decisions.

In his discussion of the staff’s guidance on the Final Rules, Director Gerding also reiterated that companies assessing the materiality of a cybersecurity incident should go beyond considering only quantitative factors and the impact on financial condition and results of operations. Rather, companies must consider factors such as reputational harm, the impact on customer relationships, and litigation or regulatory risk when determining whether an event is material. By focusing on these broader aspects of materiality, companies can provide disclosures that offer a more complete picture of their risks and vulnerabilities.