[ad_1]
Two months after the U.S. Securities and Exchange Commission’s (“SEC”) Form 8-K Cybersecurity Reporting Regulations became effective under new Section 1.05, this blog post provides a summary of reports filed to date. We provide .
Currently, six companies have filed Item 1.05 Form 8-K. Three of these companies also amended their initial Form 8-K filings to provide additional details regarding subsequent events. The remaining filings are self-contained and do not appear to require amendment, but these companies may wish to amend them at a later date. Cybersecurity incident descriptions are generally written in broad strokes and track the requirements of new rules without going into too much detail. What is interesting, and perhaps coincidental, is that the filings appear to be limited to two broad industry groups: technology and financial services. In particular, two of the companies are bank holding companies.
Some companies are now reporting under the new rules, but the sample range may still be too small to draw clear conclusions or determine what is a “market” There is. That being said, several companies that have filed 8-Ks under Item 1.05 describe incidents or circumstances that do not appear to be financially material to a particular company. We are aware that in the past some companies have determined materiality based on non-financial qualitative factors, even though the impact of a cyber incident was not quantitatively significant. It’s more exceptional than typical.
Additionally, the disclaimers of forward-looking statements that companies include in their filings vary widely in specificity and detail. Although such a disclaimer is not required on Form 8-K, all companies filing under Item 1.05 to date have included a disclaimer. We believe this practice will continue.
Since the new rules went into effect, a small number of companies have filed Form 8-K filings that describe cybersecurity incidents under Item 8.01 (“Other Events”) rather than Item 1.05. These submissions provide most of the details of what is required under item 1.05. It is not immediately clear why these companies chose Section 8.01, but perhaps the companies decided that these events were not material and therefore did not require a Section 1.05 filing at the time of filing. Of course, SEC filings are one piece of a larger puzzle when companies are grappling with cyber incidents and related remediation. It remains to be seen how widespread this practice will be. To date, the SEC staff has not published comment letters criticizing Form 8-K cyber filings under the new rules, which are still in their early stages. The SEC staff typically (but not always) publishes the comment letter and the company’s response to the comment letter on the SEC’s EDGAR website within 20 business days after completing its review. Many publicly traded companies are now also making new Form 10-K disclosures regarding cybersecurity, and we expect staff to be proactive in providing guidance and commentary on cybersecurity disclosures over the next year.
[ad_2]
Source link