SEC Remains Focused on Disclosure of Cybersecurity Incidents
Recent Securities and Exchange Commission (SEC) enforcement action and statements by SEC officials show that the Commission remains focused on disclosures regarding cybersecurity incidents. On May 21, 2024, Erik Gerding, director of the SEC’s Division of Corporate Finance, issued a statement to clarify that public companies are only required to disclose a cybersecurity incident under Item 1.05 […]
Elizabeth Skey is a Partner and Bingxin Wu is an Associate at Cooley LLP. This post is based on their Cooley memorandum.
Recent Securities and Exchange Commission (SEC) enforcement action and statements by SEC officials show that the Commission remains focused on disclosures regarding cybersecurity incidents. On May 21, 2024, Erik Gerding, director of the SEC’s Division of Corporate Finance, issued a statement to clarify that public companies are only required to disclose a cybersecurity incident under Item 1.05 of Form 8-K if the incident is “determined by the registrant to be material.” The next day, on May 22, 2024, the SEC announced that it has settled charges with The Intercontinental Exchange (ICE) relating to ICE’s alleged failure to timely inform the SEC of a cyber intrusion under Regulation Systems Compliance and Integrity (SCI). While Regulation SCI only applies to a small number of key market participants, the SEC’s enforcement order and recent statements signal that the SEC will not hesitate to enforce regulations that require disclosures of cybersecurity incidents.
