TheCorporateCounsel.net

As this Cooley alert points out, considerations relating to filing an Item 1.05 Form 8-K are just the tip of the iceberg for companies grappling with systemic network failures after the recent CrowdStrike update. The memo raises some of the same issues I discussed in Monday’s blog and then moves on to a host of other disclosure implications. The alert suggests that impacted public companies consider the following actions:

– Ensure compliance with applicable policies and perform assessments to determine whether any impact from the CrowdStrike update is “material,” and whether any reporting is necessary or advisable. … [including] outside the context of Item 1.05 of Form 8-K … giving consideration to potentially providing voluntary disclosure related to the impact of the CrowdStrike update on the company’s operations via Item 8.01 of Form 8-K.

– Perform risk assessments and gap analyses to determine whether there are any shortcomings in systems and systems-related matters, including use of third parties and relevant oversight, monitoring, disaster recovery, and other practices.

– Update risk factors and other disclosures, including regarding systems downtime and/or reliance on third parties to operate critical business systems … [including] to specifically refer to the CrowdStrike update.

– Determine if the CrowdStrike update has had or is expected to have a material impact on the company, then consider if it should be discussed in the management’s discussion and analysis (MD&A) section of SEC filings, including as a known trend for future periods.

– Be mindful of Regulation FD when communicating with analysts and investors regarding the impact of the CrowdStrike update on the company. … Confirming that there was or was not a material impact of an occurrence in one-off communications with analysts/investors could be deemed to be a selective disclosure of material nonpublic information in certain circumstances.

– Evaluate whether the CrowdStrike update has implications for the company’s internal controls and disclosure controls and procedures.

Normally, I would characterize some of these as more long-term considerations than the question of mandatory current reporting, but there are a number of factors at play that make these considerations just as time-sensitive as the 8-K question. First, further data gathering and assessment may be necessary to make an 8-K determination, and the situation is still evolving. For now, it appears that no companies have determined to quickly file an Item 1.05 8-K, and I only see one Item 8.01 8-K related to the incident (filed by CrowdStrike itself on Monday). Second, it’s late July, which means it’s crunch time for second quarter 10-Qs for many companies. We may start to see disclosures related to the CrowdStrike update in 10-Qs before we see them in 8-Ks (like this 10-Q, which notes under Part II, Item 5, “to date, we have experienced no negative impact to our IT systems related to the CrowdStrike software update”).

– Meredith Ervine