As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission (“SEC”) reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.
Background on SEC Reporting Rules
Under the SEC’s rules, Item 1.05 of Form 8-K generally requires public companies in the United States to disclose material cybersecurity incidents within four business days of determining that the incident is material. The disclosure must contain the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition and its results of operations. For these purposes, SEC rules define “cybersecurity incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Under the U.S. federal securities laws, information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment or voting decision, or if it would have significantly altered the “total mix” of information made available to investors. For future or uncertain events, materiality is determined by balancing the probability that an event will happen against the potential magnitude of the event in light of the totality of the company activity. There is no bright line test for determining whether particular information is material. The SEC has cautioned that the analysis does not turn solely on financial or quantitative factors, and that qualitative factors must also be considered.
Thus, a company’s materiality determination depends on the facts and circumstances unique to each incident, including both its quantitative impact on the company’s business and on qualitative factors such as the incident’s nature, extent and potential magnitude, particularly as those factors relate to any compromised information or the business and scope of the company’s operations. The impact of an incident may encompass a range of harms that should be considered in making the materiality determination, such as the potential: (1) negative impact on financial performance and operations; (2) harm to reputation; (3) harm to customer, vendor or other business relationships; (4) negative impact on competitiveness; and (5) litigation or regulatory investigations or actions. The SEC staff has repeatedly stressed these five qualitative factors, which are drawn from the SEC adopting release announcing the new rules, when providing public commentary on Item 1.05 disclosure.
Disclosures to Date of Cybersecurity Incidents
As of December 5, 2024, 24 separate companies have made disclosure under Item 1.05 to announce the existence of a material cybersecurity incident. As an alternative to Item 1.05 disclosure, many other companies have described cybersecurity incidents under other items of Form 8-K, particularly under Item 7.01 for Regulation Fair Disclosure and Item 8.01 for “other events.” Still other companies have described cybersecurity incidents in Form 10-Q, Form 10-K or elsewhere in SEC filings, but not under cover of Form 8-K.
To date, only one company has disclosed that it sought a delay from filing Form 8-K under a mechanism in the SEC rules that permits a company to petition the US Attorney General for a temporary filing deferral. It is certainly possible that other companies have also used this procedure but have not yet made public disclosure of the underlying event.
SEC Guidance, Enforcement Actions and Comment Letters
As with any new rule, disclosure practices have evolved rapidly in the year since the rules took effect. SEC staff have issued several guidance documents to help fine-tune disclosure practices since the effective date of the rules. Staff guidance seems to encourage companies to save Item 1.05 for the most significant cybersecurity incidents, and use another 8-K item (such as Item 8.01) for those that do not meet the criteria of Item 1.05.
The SEC in October 2024 announced settled enforcement actions against four companies regarding cybersecurity disclosure and found that one of the companies “negligently made materially misleading misstatements” in Form 8-K regarding a cyberattack. In this case, the SEC alleged that statements to investors minimized the attack by failing to disclose the nature of the code that the threat actor exfiltrated and the quantity of encrypted credentials accessed. Notably, the company’s disclosure was made prior to the effectiveness of Item 1.05.
The SEC staff has also issued a series of comment letters to companies that have made disclosure under Item 1.05, particularly when a given company has indicated that the event has not had a material impact on the company’s financial condition or results of operations. These letters are routine communications from the staff to a given company requesting clarification or revision of potentially ambiguous disclosure and part of the agency’s overall oversight of public companies. The comments differ slightly from company to company, but generally take the following form:
“We note the statement that you experienced a cybersecurity incident in your Form 8-K filed on _____, 2024. Please advise us as to why you determined to file under Item 1.05 of Form 8-K given the statement that the incident had not had a material impact on your operations, and you had not determined it was reasonably likely to materially impact your financial condition or results of operations.”
Companies receiving this comment have varied in their responses to the SEC staff. Some companies, particularly those that filed in the early days of the rule before any staff guidance was published, have conceded that they may have misread the rule and would reconsider such a filing in the future. Others have sought to justify the filing, and have made the argument to the SEC staff that the determination as to whether a material cybersecurity incident has occurred is a separate analysis from whether it would have a material impact on operations or financial condition. After the SEC staff pushed back on the first company to assert this interpretation, several companies have subsequently made substantially the same argument without further staff objection.
Each cybersecurity incident must of course be assessed on the unique facts and circumstances of that event. Nevertheless, when making the materiality determination, it appears that the SEC staff has set the bar relatively high for making disclosure under Item 1.05, and the staff seems to prefer that immaterial cybersecurity incidents be discussed elsewhere.
Looking Ahead
With the upcoming change in presidential administrations, it is possible that the SEC may provide further guidance on Item 1.05 or the other SEC cybersecurity disclosure requirements enacted since 2021. On January 20, 2025, Republicans will take a 2-1 majority at the SEC, and a Republican commissioner will be named acting chairman of the agency until Paul Atkins, President-Elect Trump’s nominee for permanent SEC chairman, obtains Senate confirmation. The two sitting Republican commissioners have sometimes expressed skepticism as to the agency’s approach to cybersecurity reporting and enforcement; however, the SEC’s cybersecurity rules likely will be a lower priority than other pressing matters, such as a revised approach to cryptocurrency regulation and repeal of the SEC’s climate disclosure rules. Accordingly, it is likely the current cybersecurity reporting regime will remain in place for some time.
Search
Recent Posts
- Colorado Issues Proposed Draft Amendments to CPA Rules Addressing Biometric Data, Minors’ Online Privacy, and Opinion Letters and Interpretive Guidance
- CIPL Publishes Discussion Paper on Applying Data Protection Principles to Generative AI
- GoodRx Agrees to Pay $25 Million Settlement for Privacy Violations
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code