In late 2023, Form 8-K was amended to include new Item 1.05, which requires public companies to disclose any cybersecurity incident a company determines to be material. If an event is material, the company would be required to disclose the nature, scope and timing of the incident, as well as the material impact, or reasonably likely material impact, of the incident, under Item 1.05 of Form 8-K. The Item 1.05 of Form 8-K would be required to be filed within four business days of the date the event was deemed material. A provision was made for delaying disclosure if the disclosure would pose a substantial risk to national security or public safety. Click here to read the final rule.
On May 21, 2024, the Director of the U.S. Securities and Exchange Commission's (SEC’s) Division of Corporation Finance issued a statement urging issuers to only report material cybersecurity incidents under Item 1.05 of Form 8-K. If a company wished to report non-material incidents, or incidents for which a determination had not yet been made, the Director recommended making such reports under Item 8.01 of Form 8-K.
The Director indicated that the clarification was not intended to discourage companies from voluntarily disclosing immaterial cybersecurity incidents or incidents for which they had not yet made a materiality determination; instead, the Director wanted to insure that investor were not confused about the materiality of any disclosure under Item 5.01. If a company makes a voluntary disclosure under Item 8.01, and then determines that the incident is material, the company would be required to file an Item 1.05 Form 8-K within four business days of the subsequent materiality determination. In addition, the Director noted that if the impact of a material incident was not yet determined, an amendment to the Item 1.05 Form 8-K should be filed to disclose the impact once that information became available.
The Director also noted that the assessment of potential impact on the company should not be limited to its financial condition and results of operation, but should also include qualitative factors. As an example, the Director noted that companies should consider whether the incident would harm its reputation, relationships or competitiveness or potentially result in litigation or regulatory investigations or actions.
For more information, please see Loeb's client alert.