CCRcorp Sites  

The CCRcorp Network unlocks access to a world of insights, research, guides and information in a range of specialty areas.

Our Sites


A basis for research and practical guidance focusing on federal securities laws, compliance & corporate governance.


An educational service that provides practical guidance on legal issues involving public and private mergers & acquisitions, joint ventures, private equity – and much more.


The “one stop” resource for information about responsible executive compensation practices & disclosure.

Widely recognized as the premier online research platform providing practical guidance on issues involving Section 16 of the Securities Exchange Act of 1934 and all of its related rules.


Keeping you in-the-know on environmental, social and governance developments

Meredith recently blogged on statements made by Corp Fin Director Erik Gerding on materiality determinations and SEC disclosures about cyber incidents at publicly-traded companies. Meredith said companies should assess “all relevant factors” and not limit that assessment to the incident’s impact on the company’s financial condition and results of operation.

“[C]ompanies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”

Echoing a key comment from SEC Speaks, the statement also adds the following (which is contemplated by Instruction 2 to Item 1.05):

There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact).  In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.

While not immediately apparent, SEC’s cyber incident disclosure may cover some environmental incidents.

In March, EPA promulgated sweeping changes to the Risk Management Plan (RMP) rules that apply to facilities that hold specific “regulated substances” in excess of threshold quantities. In the rule’s preamble, passing references were made to cyber risk but EPA didn’t acknowledge the true relevance to potential chemical releases. This is an odd oversight, especially since EPA is aware of such events: two weeks ago, EPA issued an Enforcement Alert on cyber security and risks at drinking water treatment plants, which – along with wastewater treatment plants – have been hacked in the past. EPA mentioned, “Foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.”

Most (but not all) water and wastewater treatment plants are municipal entities and not subject to SEC reporting, but the RMP rules cover a broad range of facilities regardless of whether they are owned/operated by municipalities or private companies. In cyber breaches resulting in an EPA-regulated matter, reporting companies will have to thoroughly assess the “qualitative factors alongside quantitative factors” related to the release/incident, including the possibility of litigation, to determine if the event also triggers SEC disclosure. Companies with an RMP that experience a release resulting from a cyber incident can look to that document’s Off-site Consequence Analysis (OCA). The OCA can be instructive for potential SEC cyber incident disclosures (if needed) as the OCA contains data about the significance/impact of a release, and it offers insight into the potential for litigation based on the community and businesses that are impacted.

If you aren’t already subscribed to our complimentary ESG blog, sign up here: for daily updates delivered right to you.

Back to all blogs

The Editor

Lawrence Heim has been practicing in the field of ESG management for almost 40 years. He began his career as a legal assistant in the Environmental Practice of Vinson & Elkins working for a partner who is nationally recognized and an adjunct professor of environmental law at the University of Texas Law School. He moved into technical environmental consulting with ENSR Consulting & Engineering at the height of environmental regulatory development, working across a range of disciplines. He was one… View Profile