The material cyber incident disclosure requirement that is part of the SEC’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules for public companies (Rules) has apparently led to confusion, with some companies disclosing incidents that are not material in Item 1.05. Certain companies also believe the Rules prohibit them from sharing with third parties information about cyber incidents beyond what they disclosed in Item 1.05. Erik Gerding, Director of the SEC Division of Corporation Finance recently issued statements addressing both concerns. With commentary from Eric B. Gyasi, counsel at BakerHostetler, this article discusses the key takeaways from Gerding’s statements and common materiality determination mistakes, along with advice on making materiality determinations. See “SEC Director Offers Clarification on New Cyber Disclosure Regime” (Jan. 3, 2024).