TheCorporateCounsel.net

I think it’s safe to say that Item 1.05 cyber incident Form 8-Ks have evolved during the last 15 months or so — particularly following the May 2024 Corp Fin statement regarding voluntary disclosure of an immaterial incident or early disclosure while a materiality determination is still being made. This Debevoise alert shares some granular statistics from the 26 companies (as of February 11) that had reported a cybersecurity incident under Item 1.05 since the effective date of the newly required 8-K disclosure. For example, there was a notable shift to Item 8.01 after the Corp Fin Statement — with 28 companies using Item 8.01 thereafter.

Here are some other key stats from the article:

– The average time between detection and disclosure has been 7.88 business days, and the median length has been 4.5 business days. Nearly half have filed within 4 business days of detecting the cybersecurity incident. (Reminder that the disclosure is required within 4 business days of determining that the incident is material — not the initial detection.)

– 65% of companies disclosed an operational disruption related to the incident (which may be more readily identifiable in early stages compared to financial or more qualitative (like reputational) impacts). For 14 of those companies, the operational impacts were caused, at least in part, by remediation or mitigation efforts.

– 77% of companies disclosed that the incident resulted in access to or exfiltration of data (e.g., client or customer data, or information contained within corporate email accounts). Of those, 6 disclosed the nature of the exfiltrated data or targeted information in the initial Form 8-K and 9 disclosed this information in an amendment.

– 23% of companies identified the threat actor by name or nature.

– No companies disclosed payment of a ransom.

– 50% of companies filed 8-K amendments (required by the rule to the extent any required information is not determined or unavailable at the time of the initial filing).

– Those amendments disclosed “remediation of the relevant cybersecurity incident, details regarding the impact of the incident (including the material or immaterial nature of certain impacts), further actions taken by the threat actor and details regarding the nature of the incident.”

– Three companies initially disclosed cybersecurity incidents on Item 8.01 (all following the Corp Fin statement) before subsequently filing on Item 1.05.

– Meredith Ervine