TheCorporateCounsel.net

I love those one-page desktop reference guides to Form 8-K. I think they’re so handy for in-house corporate counsel, internal accounting folks, the disclosure committee — really anyone internally who plays a role in 8-K disclosure controls — and new law firm associates. This Desktop Reference: Form 8-K Filing Events from Latham is the first I’ve seen listing soon-to-be-effective Item 1.05 regarding material cybersecurity incidents.

As I poked around further, I saw that WilmerHale has released the 2023 update to its practical guide to Keeping Current With Form 8-K, and it’s been updated throughout to reflect that new Item 1.05 will be effective December 18, 2023 for companies other than smaller reporting companies. This is a longer-form resource and devotes a few pages to each triggering event, the required disclosure and related practice tips. It also discusses filing mechanics — like when to use “Titan” language that investors should not rely on reps and warranties in the exhibited agreement, which items contemplate a subsequent amendment and Form 8-K cover page considerations. Here are some of the guide’s “practice tips” for new Item 1.05:

– Because the definition of “information systems” covers electronic information resources “owned or used by the registrant,” a company is required to disclose a cybersecurity incident suffered by a third-party service provider’s system if that incident has a material impact on the company. Depending on the circumstances of a cybersecurity incident involving a third-party service provider, disclosures may be required by either or both of the service provider and its customer.

– Notwithstanding the obligation to report on third-party systems that experience a cybersecurity incident that materially impacts a company, the SEC noted in the adopting release that companies need only disclose information made available to them, and are generally not required to conduct additional inquiries beyond their regular communications with third-party service providers and in accordance with the company’s disclosure controls and procedures.

– While the materiality of a cybersecurity incident is being assessed, companies should consider whether trading windows should be closed.

– The SEC staff’s 2011 guidance (“2011 Staff Guidance”) and the Commission’s 2018 Interpretive Release (“2018 Interpretive Guidance”) remain applicable and should be used to inform potential disclosure obligations relating to cybersecurity incidents that are not specifically addressed by Item 1.05 or the new annual cybersecurity disclosures called for by Item 106 of Regulation S-K (which was added at the same time as Item 1.05).

– Meredith Ervine