Confused by the SEC's IT security breach reporting rules? Read this

The US Securities and Exchange Commission (SEC) wants to clarify guidelines for public companies regarding the disclosure of ransomware and other cybersecurity incidents.

According to the breach reporting rules the federal agency adopted in July, public companies must disclose material events under Item 1.05 of Form 8-K. This is the form the SEC requires public companies to submit when they announce big changes that may be material to shareholders.

It means that should a publicly traded company experience a "material" cybersecurity intrusion – one that has a financial impact on the company's operations, or that an investor would want to know before making an investment decision – they need to publicly report it under Item 1.05. In fact, Item 1.05 is titled "Material Cybersecurity Incidents."

The fuzziness comes into play when companies disclose a breach for which they haven't made a materiality determination, or security snafus that the company flat-out says were not material.

For these, fill out Item 8.01 of Form 8-K, we're told.

"It could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05," said Erik Gerding, director of the SEC's Division of Corporation Finance.

• Biden will veto attempts to kill off SEC's security breach reporting rules
• Crooks pwned your servers? You've got four days to tell us, SEC tells public companies
• SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity
• Finance orgs have 30 days to confess cyber sins under incoming FTC rules

He added that this "is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial."

These voluntary disclosures do have value, he opined, but they can also "result in investor confusion" and "dilute the value" of disclosing material cybersecurity incidents in the first place.

"Given the prevalence of cybersecurity incidents, this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents," Gerding said.

So, to be crystal clear, if it's material, file a Form 8-K, Item 1.05. If it's voluntary, or you've yet to determine whether it was material, go with Form 8-K, Item 8.01 instead. ®