In July, we previewed the new rules adopted by the Securities and Exchange Commission (“SEC”) for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Under these rules, Item 1.05 of Form 8-K requires U.S. public companies to disclose material cybersecurity incidents. We have been tracking Form 8-K filings under the new SEC requirements since the rules went into effect on December 18, 2023.  In this chart, you can find links to each of these filings, as well as the relevant dates and amendments (if any), updated as of July 12, 2024.  We will periodically update the Debevoise Data Blog to reflect new Form 8-K filings under Item 1.05.

As a reminder, the deadline to file a Form 8-K under Item 1.05 is within four business days after the determination that an incident is material. This materiality determination must be made “without unreasonable delay.”  If the United States Attorney General determines that disclosure of an incident could pose a substantial risk to national security or public safety, then, if the Attorney General notifies the SEC of such a risk, a company may delay disclosure as they work with the Department of Justice to resolve the risk.  In practice, we do not expect this national security delay to be invoked frequently.

When filing an 8-K under Item 1.05, registrants must disclose (1) the material aspects of the nature, scope and timing of the incident (i.e., basic identifying details) and (2) the material impact or reasonably likely material impact of the incident on the registrant, including on the registrant’s financial condition and results of operation.  Materiality should be determined using the same standard that practitioners are familiar with from other securities laws contexts.  The materiality standard takes into consideration both quantitative and qualitative factors to assess “whether a shareholder would consider [the information] important” to their investment decisions or if the information would have “significantly altered the ‘total mix’ of information made available.”

The new rules include a similar obligation for foreign private issuers listed in the U.S.  However, FPIs are only required to disclose material cybersecurity incidents on Form 6-K after the incident is disclosed or is required to be disclosed in a foreign jurisdiction to any stock exchange or security holders. As a result, disclosure by FPIs will continue to be driven by home-country laws and regulations, rather than by the SEC’s new cybersecurity incident disclosure regime.

Our Cybersecurity Incident Disclosure Tracker, updated as of July 12, 2024, can be found here.

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Ben Pedersen is a partner in the firm’s Capital Markets Group and member of the Special Situations team. His practice focuses on a broad range of capital markets transactions, regularly representing issuers, private equity firms and underwriters in public and private offerings of debt and equity securities, and advising public and private companies on securities laws, disclosure, corporate governance and general corporate matters. He can be reached at brpedersen@debevoise.com.

Author

John M. Jacob is an international associate and a member of the Capital Markets Group. He can be reached at jjacob@debevoise.com.

Author

Talia N. Lorch is a corporate law clerk and a member of the Capital Markets Group.