Erik Gerding, the Director of the SEC's Division of Corporation Finance, issued a statement on the requirement that public companies disclose material cybersecurity incidents. The statement is intended to clarify the distinction between the mandatory disclosure of a material cybersecurity incident and voluntary disclosures of other cybersecurity incidents. Gerding said that the statement is not meant to discourage voluntary disclosure of incidents but to encourage voluntary disclosures in a manner that does not confuse investors or dilute the value of disclosures of material incidents.
Disclosure rules. The SEC adopted final rules requiring, inter alia, disclosure of material cybersecurity incidents on Form 8-K. New Item 1.05 in Form 8-K requires the disclosure of any cybersecurity incident determined to be material, plus a description of the nature and impact of the incident. In December 2023, soon before some of the new requirements went into effect, Gerding discussed the rules, their rationale, and their mechanics.
Read the rest of the story and other securities news from Wolters Kluwer at VitalLaw.com.