Selective Disclosure of Information Regarding Cybersecurity Incidents

Last year, the Commission adopted rules requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.[1]  Since then, staff in the Division of Corporation Finance have heard assertions that those rules may preclude a company from sharing additional information about a material cybersecurity incident with others, including their commercial counterparties.  Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  That is not the case.

Source: Selective Disclosure of Information Regarding Cybersecurity Incidents