On June 24, the Securities and Exchange Commission (SEC) issued new compliance and disclosure interpretations (C&DIs) providing additional guidance on cybersecurity incident reporting pursuant to Item 1.05 of Form 8-K. These C&DIs follow four C&DIs published by the SEC in December 2023 relating to disclosure obligation considerations after holding discussions with the U.S. Attorney General about the occurrence of a cybersecurity incident.

The new C&DIs, excerpted below, were issued by the SEC just a month after the SEC’s Division of Corporate Finance director, Erik Gerding, issued a statement in May intended to clarify cybersecurity incident reporting on Form 8-K and provide guidance on determining the materiality of cybersecurity incidents in the context of ransomware attacks that cause operational disruptions or data exfiltration.