Is the SEC throwing public companies under the bus?

At an April 4 Privacy Summit, it was reported that an SEC panelist seemed to discourage overreporting of cyber incidents.?The official stated that "[o]ne thing I think we all agree on is that . . . there is a presumption if you're filing an 8-K [about a cyber incident], that incident is material." The SEC official added that, "the intention is for [an 8-K cyber incident] disclosure to be about [a] material incident and not more of a 'cover yourself' 8-K."?

To the extent public companies are inclined to interpret these comments as encouraging them to err on the side of NOT disclosing cyber incidents that may or may not be material, they are taking an unnecessary risk.?Here's why:

• Reasonable Disagreement:?Some cyber incidents are clearly material and others are clearly immaterial.?This issue only arises where reasonable minds could disagree about whether an incident is material.?It is likely that many cyber incidents will fall within this zone of ambiguity, among other reasons, because the SEC rule requires companies to consider both "quantitative" and "qualitative" materiality.?Thus, to legitimately assess materiality, companies may have to either predict or wait to determine (a) what costs an insurer will ultimately cover; (b) what litigation and regulatory inquiries will be filed and how they will be resolved; (c) what impact the incident will ultimately have on its stock price; (d) whether any temporary operational impact will be made up for later in the year; and (e) whether the incident ends up being eclipsed by other events.?But these are difficult questions to answer and for reasons discussed below, companies cannot afford to delay disclosure until all these questions are fully resolved.??
• The Law Says to Err on the Side of Disclosure:?Despite these panel comments, both the SEC and the U.S. Supreme Court have said to err on the side of disclosure.?Specifically, in the Final Cybersecurity Rule, itself, the SEC stated that "'Doubts as to the critical nature' of the relevant information should be 'resolved in favor of those the statute is designed to protect,' namely investors."?See https://lnkd.in/ebBqzsRS at 15 (quoting TSC Indus. v. Northway, 426 U.S. 438, 448 (1976)).?In other words, when in doubt, disclose.???
• Litigating Late Disclosure:??Statistically, as with securities litigation generally, the vast majority of breach litigation is likely to be brought by private plaintiffs (e.g., shareholders and consumers), rather than by the SEC itself.?Virtually every breach complaint filed these days alleges, among other things, that the Company was negligent in failing to timely disclose an incident, and if the Company had timely disclosed the incident, the plaintiffs would have been able to mitigate their losses.? See, e.g., https://lnkd.in/e_PaDyBJ.? Thus, it is important that companies timely disclose incidents that may be material in order to protect themselves from a risk greater than the SEC--class actions. An 8-K is a safe way to do that.???
• No Penalty for Over-Disclosure:?The whole foundation of securities law is about increasing corporate transparency--the amount of accurate information available to investors.?Thus, far from penalizing overreporting, the securities laws generally reward it (unless perhaps where overreporting is actually intended to confuse or mislead investors). It would be very difficult for plaintiffs or regulators to bring a successful action based on overreporting of accurate information. Indeed, in the Final SEC Cyber Rule, the SEC suggests that underreporting is more harmful to investors than overreporting, noting that, "[w]hile it is possible that occasionally there may be incidents that initially appear material but developments after the filing of the Item 1.05 Form 8-K reveal to be not material, the alternative of delaying disclosure beyond the four business day period after a materiality determination has the potential to lead to far more mispricing and will negatively impact investors making investment and voting decisions without the benefit of knowing that there is a material cybersecurity incident." See https://lnkd.in/ebBqzsRS at 32.
• The "Presumption" of Materiality:?The SEC's comment about an 8-K coming with a "presumption" of materiality is technically correct, but seems to be a red herring.?As an initial matter, any presumption of materiality is weakened if the 8-K, itself, states that the Company has not yet determined whether the incident is material and is simply filing the 8-K "in an abundance of caution."?More importantly, regardless of any presumption, an incident is either material or it is not.?By the time the issue of materiality gets resolved by a court, the facts are more likely to have played themselves out and it will be clearer whether an incident was or was not material.?If it was material, it is good that the company filed an 8-K.?If it was not material, then the presumption of materiality is defeated.???

The SEC panelist was correct to note that where Registrants file an 8-K "in an abundance of caution" because they could not yet determine whether an incident was material, they put themselves "on the hook to amend the filing if there's additional information that comes to be known." Continually trickling out information about an incident via 8-K risks drawing further public attention to the incident and raising questions about the competence of the company's response, but in many (if not most) cases, those risks will be outweighed by the risks surrounding untimely disclosure. ?

?

?