TheCorporateCounsel.net

It has been four months since new Item 1.05 of Form 8-K went into effect, requiring current disclosure of material cybersecurity incidents. Item 1.05 of Form 8-K specifies that, if a company experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident is material, subject to limited exceptions.

The experience with Item 1.05 of Form 8-K in its very short life has been somewhat confusing. As this very helpful Debevoise memo notes, a few clear takeaways have emerged in the first 100 days of current reporting of material cybersecurity incidents:

– On December 18, 2023, the SEC’s rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K and in this article we examine the early results of the SEC’s new disclosure requirement.

– A clear trend toward rapid disclosure has emerged, outpacing the analysis of financial impacts that the SEC believed most companies would include when determining materiality.

– Notwithstanding this trend toward speed, companies experiencing a cybersecurity incident would be well advised to exercise caution before disclosing in the early innings of incident response.

Now, granted, eleven Form 8-K filings is not a particularly robust sample size from which to draw conclusions, but the early compliance experience with a new disclosure requirement often sets the trends for future reporting, so the early filers certainly cannot be ignored. What has left a lot of observers scratching their head is the nature of the cybersecurity incidents that have been reported, given that on their face the incidents do not strike anyone as the sort of material cybersecurity incident that we were all expecting to be reported. The Debevoise memo notes:

Of the 11 companies that have filed Forms 8-K to report a cybersecurity incident under Item 1.05, one identified a material operational disruption in its initial filing, and another identified a material impact on its results of operations in an amended filing made three weeks after the initial filing. The other nine companies did not expressly identify a material impact. They generally included an affirmative statement that the incident had not materially impacted operations, and they typically stated that they had not determined the incident was reasonably likely to materially impact the Company’s financial conditions or results of operations. The latter statement tracks Item 1.05’s line-item requirement to disclose whether the incident materially impacts the company’s financial condition and results of operations.

This trend has led to speculation that companies are voluntarily reporting immaterial cybersecurity incidents under Item 1.05 of Form 8-K or failing to adequately respond to Item 1.05’s requirements. Alternatively, these nine companies may believe that the combined characteristics of the incident—such as operational disruption, data loss or scope and length of intrusion—comprise the material impacts, in that these or other factors considered together render the cybersecurity incident material, even where no one impact is considered independently material. It is also possible that the SEC’s mandatory disclosure rule has caused a reassessment of when a cybersecurity incident could be considered material—especially incidents with possible qualitative material impact (e.g., reputational or legal) but no quantitative material impact—potentially lowering the bar for disclosure.

Another striking aspect of the early cybersecurity incident reporting experience is the speed with which companies have filed their Form 8-Ks. For this first batch of 11 filers, the average number of days between discovery and filing was 5.45 days, which I think everyone would agree is a very short time in which to identify, investigate and evaluate the materiality of a cybersecurity incident. In this regard, the Debevoise memo notes:

Item 1.05 requires an issuer to file a Form 8-K disclosing specified information about a cybersecurity incident within four business days of determining that the cybersecurity incident is material. This four-business-day deadline runs from the materiality determination, rather than the occurrence or detection of the incident, and the SEC has acknowledged that “[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered.” In practice, however, companies have disclosed incidents more quickly than the SEC may have anticipated. In the first 100 days, the average time from detection of a cybersecurity incident to the disclosure of the incident on a Form 8-K under Item 1.05 has been 5.45 business days. Eight companies (i.e., over 70% of the sample) have filed Forms 8-K under Item 1.05 within four business days of detecting the cybersecurity incident.

While all disclosure decisions will necessarily be driven by the facts and circumstances surrounding the incident, including regulatory or contractual notification requirements, companies should take care not to rush disclosure in the “fog of war.” In adopting Item 1.05, the SEC acknowledged that registrants will need to “develop information after discovery until it is sufficient to facilitate a materiality analysis.” The Rule, therefore, allows companies to undertake a reasonable investigation and an informed and deliberative materiality analysis, provided companies do not “unreasonabl[y] delay” the required determination. In most instances, we believe companies are well-advised to exercise caution before rushing to disclose early in the course of an incident investigation. Still, sometimes the incident will have public ramifications which may merit very quick disclosure.

My take on these early trends reflects the fact that I am a “traditionalist” on these kind of disclosure matters, even when approaching a new Form 8-K disclosure item. I advise companies that they should only file an Item 1.05 Form 8-K when the have to, because the incident is material as contemplated by the rule. Disclosing a material cybersecurity incident is very likely to attract attention from the SEC and others who are looking at this new disclosure frontier as an opportunity for Enforcement and litigation actions, so discretion is the better part of valor in these situations. In terms of speed, I do think that, in most cybersecurity incidents, it takes time to investigate the incident and to make a materiality determination, so companies should take that time and avoid jumping the gun on an SEC disclosure decision.

– Dave Lynn