July 27, 2023
More on Cybersecurity: Current Disclosure of Material Cybersecurity Incidents
As I mentioned in the blog yesterday, current reporting of material cybersecurity incidents has been with us since at least the SEC’s 2018 interpretive guidance, but now new Item 1.05(a) of Form 8-K specifies that, if an issuer experiences a cybersecurity incident that is determined by the issuer to be material, the issuer must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident was material, subject to limited exceptions described below. Issuers must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.
Issuers may delay making a Form 8-K disclosure up to seven business days following notification of the Secret Service and FBI pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC. The disclosure may also be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through exemptive orders.
The untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. Item 1.05 is also included in the list of Form 8-K items eligible for the limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
The required information must be tagged using Inline XBRL.
Foreign private issuers must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
– Dave Lynn