In July, we previewed the new rules adopted by the Securities and Exchange Commission (“SEC”) for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Under these rules, Item 1.05 of Form 8-K requires U.S. public companies to disclose material cybersecurity incidents. We have been tracking Form 8-K filings under the new SEC requirements since the rules went into effect on December 18, 2023. In this chart, you can find links to each of these filings, as well as the relevant dates and amendments (if any), updated as of February 18, 2025. We will periodically update the Debevoise Data Blog to reflect new Form 8-K filings under Item 1.05.
As a reminder, the deadline to file a Form 8-K under Item 1.05 is within four business days after the determination that an incident is material. This materiality determination must be made “without unreasonable delay.” If the United States Attorney General determines that disclosure of an incident could pose a substantial risk to national security or public safety, then, if the Attorney General notifies the SEC of such a risk, a company may delay disclosure as they work with the Department of Justice to resolve the risk. In practice, we do not expect this national security delay to be invoked frequently.
When filing an 8-K under Item 1.05, registrants must disclose (1) the material aspects of the nature, scope and timing of the incident (i.e., basic identifying details) and (2) the material impact or reasonably likely material impact of the incident on the registrant, including on the registrant’s financial condition and results of operation. Materiality should be determined using the same standard that practitioners are familiar with from other securities laws contexts. The materiality standard takes into consideration both quantitative and qualitative factors to assess “whether a shareholder would consider [the information] important” to their investment decisions or if the information would have “significantly altered the ‘total mix’ of information made available.”
The new rules include a similar obligation for foreign private issuers listed in the U.S. However, FPIs are only required to disclose material cybersecurity incidents on Form 6-K after the incident is disclosed or is required to be disclosed in a foreign jurisdiction to any stock exchange or security holders. As a result, disclosure by FPIs will continue to be driven by home-country laws and regulations, rather than by the SEC’s new cybersecurity incident disclosure regime.
Our Cybersecurity Incident Disclosure Tracker, updated as of February 18, 2025, can be found here.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.