The requirement to disclose material cybersecurity events under new Item 1.05 of Form 8-K takes effect today (other than for smaller reporting companies, for which the new requirement will take effect on June 15, 2024).
While companies’ disclosure controls and procedures regarding this new requirement will continue to evolve, and will differ from company to company based on the nature and extent of the evolving cybersecurity risks they face, below are a few key points to keep in mind:
- The trigger date under Item 1.05 of Form 8-K is the date on which the company determines that a cybersecurity incident is material, not the date the incident occurs or when the company first discovers the incident. In addition, as highlighted in a speech last week by Erik Gerding, the Director of the SEC’s Division of Corporation Finance, and in a new SEC staff Compliance and Disclosure Interpretation, simply discussing an incident with the government or other third parties does not, in and of itself, constitute a determination that an incident is material.
- The materiality determination, which must be made “without unreasonable delay” after discovery of the incident, is to be analyzed under the traditional securities law definition of materiality, considering both qualitative and quantitative factors. We included an illustrative list of considerations that may be relevant to this materiality analysis in a prior client alert and in our updated publication Keeping Current With Form 8-K: A Practical Guide.
- If a company determines that an incident is material but some of the information required by Item 1.05 of Form 8-K is not determined or is unavailable by the deadline, the Form 8-K must still be filed by the original deadline, the Form 8-K must disclose that some information is not determined or available, and the Form 8-K must be amended within four business days after the company, without unreasonable delay, determines the information or it becomes available.
- The FBI has issued guidance and the SEC staff has issued Compliance and Disclosure Interpretations regarding the process for companies to seek an extension of the normal four-business-day filing deadline for Item 1.05 events because the disclosure poses a substantial risk to national security or public safety. The FBI encourages companies to contact it following discovery of an incident and, importantly, has said that it will not process delay requests unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via Form 8-K.
Maintaining and documenting effective disclosure controls and procedures around cybersecurity incidents is an ongoing process, and companies should continuously make adjustments based on lessons learned from incidents at the company and at peer companies and on the evolving nature of cybersecurity threats. As an initial matter, companies should focus on their internal processes for evaluating incidents and escalating information within the organization, their incident response procedures, the interaction of their technical experts with their disclosure counsel and disclosure committee (or other group within the company that performs a similar function), and the process for promptly assessing the materiality of events for purposes of Form 8-K reporting.