It has been at least 18 months since the SEC imposed requirements on registrants to disclose the occurrence of a material cybersecurity incident on Item 1.05 on Form 8-K. The disclosure must describe the nature, scope, and timing of the incident, as well as its material impact or reasonably likely impact on the registrant.
As of the date of this article, there have been approximately forty-four (44) filings made under Item 1.05 of Form 8-K. We provide the following insights and considerations based on our review of these filings.
Components of the Filings
We have compiled the following list of components registrants have chosen to disclose in the filings:
- Date of detection or date of the incident
- Involvement of law enforcement and/or external cybersecurity experts
- Notification to relevant regulatory authorities
- Status of containment efforts
- Initiation of incident response or business continuity protocols
- What operations or business branches have been disrupted, as well was what operations have not been disrupted
- Whether the information involved included personal or sensitive information
- References to whether information was encrypted, accessed and/or exfiltrated
- Extent of material impact to operations, including anticipated loss of revenue and costs related to containment and recovery resulting from the cybersecurity incident
Based on past SEC’s enforcement actions related to material cyber disclosures, it would be prudent to use language that accurately represents the situation. Registrants should avoid minimizing and/or omitting material facts on the scope and impact of the incident.
Timing of the Disclosure
The SEC requires that the disclosure be made within four (4) business days of the materiality determination. By analyzing the date of disclosures in comparison to the date of the incident or date of detection, it appeared that registrants generally made their Item 1.05 disclosure within 7 days on average. This analysis did not include outliers wherein disclosures were made more than eighty-five (85) days after the incident occurred.
What if materiality has not been determined?
SEC staff have made clear the position that Item 1.05 is really intended for cybersecurity incidents that are deemed to be material, so as to not dilute the value of 1.05 disclosures. If a registrant has not yet determined the materiality of the cybersecurity incident but still wishes to make a disclosure, the registrant may voluntarily file under Item 8.01 of Form 8-K. If the incident is later deemed to be material, the registrant can subsequently file under Item 1.05.
SEC Enforcement and Looking Ahead
On February 20, 2025, the SEC announced the creation of the Cyber and Emerging Technologies Unit to protect retail investors with the aim of prioritizing enforcement in various areas including, “regulated entities’ compliance with cybersecurity rules and regulations” and “public issuer fraudulent disclosure relating to cybersecurity.”
While it is unclear how cybersecurity disclosures will be prioritized under the next permanent chairman of the SEC, the creation of this new unit underscores the importance of developing a sophisticated cybersecurity strategy and compliance program.
Have you experienced a cybersecurity incident? Contact us today.
*Attorney Advertising: Prior results do not guarantee future outcomes.
