Hewlett Packard Enterprise Company
1701 East Mossy Oaks Rd.
Spring, TX 77389
June 18, 2024
VIA EDGAR Submission
U.S. Securities and Exchange Commission
Division of Corporation Finance
Office of Life Sciences
100 F Street, N.E.
Washington, D.C. 20549
Attn: Irene Paik
James Lopez
Re: Hewlett Packard Enterprise Co
Current Report on Form 8-K
Filed January 19, 2024
File No. 001-37483
Dear Ms. Paik and Mr. Lopez:
Hewlett Packard Enterprise Company (“HPE,” the “Company” or “we”) hereby sets forth the following information in response to the comment contained in the correspondence of the staff (the “Staff”) of the U.S. Securities and Exchange Commission (the “Commission”), dated June 4, 2024 (the “Comment Letter”), relating to the above-referenced Form 8-K (the “Form 8-K”).
For the Staff’s convenience, the text of the Staff’s numbered comment from the Comment Letter is set forth below in bold, with the Company’s response thereto immediately following the comment.
Current Report on Form 8-K filed January 19, 2024
Item 1.05 Material Cybersecurity Incidents
1.We note the statement that you experienced a cybersecurity incident, and your investigation of the incident and its scope remains ongoing. Please advise us as to why you determined to file under Item 1.05 of Form 8-K given the statement that the incident has not had a material impact on your operations, and you have not determined the incident is reasonably likely to materially impact your financial condition or results of operations.
RESPONSE: We respectfully acknowledge the Staff’s comment.
First, our interpretation of Item 1.05(a) is that the disclosure trigger for Item 1.05(a) is the registrant’s determination that a cybersecurity incident is “material” – as the adopting release states, “[t]he obligation to file the Item 1.05 disclosure is triggered once a company has developed information regarding an incident sufficient to make a materiality determination….” (emphasis added).1 The adopting release explains this trigger as follows:
In the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered. The registrant will develop information after discovery until it is sufficient to facilitate a materiality analysis. At that point, we believe investors are best served knowing, within four business days after the materiality determination, that the incident occurred and what led management to conclude the incident is material.2
The adopting release makes clear that registrants should be applying the United States Supreme Court’s definition of materiality as set forth in TSC Indus. v. Northway, 426 U.S. 438 (1976), Matrixx Initiatives v. Siracusano, 563 U.S. 27 (2011) and Basic v. Levinson, 485 U.S. 224 (1988) in evaluating whether disclosure is required.3
If this trigger is met, then registrants are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” However, it is our understanding that “material impact” and “reasonably likely material impact” are not the disclosure triggers for Item 1.05(a). 4
Second, in making the determination to file the Form 8-K under Item 1.05 on January 24, 2024, we considered a number of factors, including the impact of the incident, the identity of the threat actor, the limited guidance available at the time with respect to Item 1.05, the practice of other companies (which was limited at the time), and the potential benefit to investors. With regard to the practice of other companies, we specifically observed that, on January 19, 2024, Microsoft Corporation filed an Item 1.05 Form 8-K to report a cybersecurity incident involving the same suspected nation-state actor, Midnight Blizzard, as in our incident.
1 Release 33-11216 at 39.
2 Id. at 32.
3 Id. at 80.
4 We note that the statement made by the Director of the SEC’s Division of Corporation Finance on May 21, 2024 takes a position on the disclosure trigger in Item 1.05 consistent with our interpretation: “There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact). In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.”
While we did not determine that the incident was material to HPE at the time of filing, we believed in good faith that it was appropriate and reasonable to disclose the incident under Item 1.05. We took this more conservative approach to file under Item 1.05 in an effort to promote transparency, timely provide information to investors, and comply with both the letter and the spirit of Item 1.05. We believe our approach was consistent with what, at the time, appeared to be the practice of other public companies confronting similar situations. In the Form 8-K, we sought to provide sufficient detail to adequately inform investors of the incident. Our disclosure clearly stated that, “[a]s of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” which we believe limited the potential for this disclosure to confuse investors. Our investigation of this incident remains ongoing, and we will continue to evaluate additional disclosure obligations pertaining to this incident going forward.
In addition, if an issuer wanted to make a voluntary disclosure of a cybersecurity incident – even though the issuer had not determined such incident to be material – Item 1.05 does not prohibit a voluntary disclosure and appeared to be the more logical item because it concerned “cybersecurity incidents,” rather than Item 7.01 or Item 8.01, both of which are catch-all provisions for “other events.”
Finally, we acknowledge the statement made by the Director of the SEC’s Division of Corporation Finance on May 21, 2024, and we will take this guidance into consideration to the extent applicable to any future cybersecurity incidents.
We acknowledge that HPE and its management are responsible for the accuracy and adequacy of HPE’s disclosures, notwithstanding any review, comments, action or absence of action by the Staff.
If you have additional questions or comments, please contact me at (215) 530-5363 or david.j.antczak@hpe.com.
Sincerely,
/s/ David Antczak
David Antczak
Senior Vice President, General Counsel & Corporate Secretary
cc: Marie Myers, Executive Vice President & Chief Financial Officer