We’ve long covered the SEC’s regulation requiring public companies to disclose serious cybersecurity incidents in an 8-K filing. See several updates and the text of the cyber disclosure regulation here. A common theme since the rules were released in 2023 has been confusion about when cybersecurity 8-Ks must be filed. The rules seem straightforward on paper, but real-world applications are revealing significant confusion, as highlighted in a recent LinkedIn discussion sparked by cybersecurity expert Michael McLaughlin.
Cyber 8-K Required for “Material Incident,” But What’s That?
The SEC introduced an “Item 1.05” form of 8-Ks for disclosing significant cyber events within four business days of a company determining it has suffered a material cyber event. But the threshold for “materiality” remains subjective, often hinging on factors such as financial impact, operational disruption, or reputational harm. As McLaughlin notes, if a company hasn’t yet determined a breach was material, but wants to make a voluntary disclosure anyway, it should use a different type of 8-K, such as an “Item 8.01” (“8.01s” are a catch-all for “other events” not covered by other disclosure filings.)
In his post, McLaughlin, co-leader of cybersecurity and data privacy at law firm Buchanan Ingersoll & Rooney PC, singled out one public company for what he described as an improper use of Form 8-K Item 1.05 in a filing earlier this month. The company, a provider of data and security solutions, noted in the filing that it had been hit with a ransomware attack, but: “(T)he Incident does not appear to have had a material impact on the Company’s business operations; however, the full scope and impact of this Incident is not yet known and could result in a future determination that the incident either was not or has been material to the Company’s financial statements and results of operations.”
In other words, the company filed a report of a “material” cyber incident when it did not yet know whether the attack was material. Adding confusion to the situation, the company went on to state: “The expected costs related to the Incident, including fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the Company’s results of operations and financial condition (boldface ours.)
This is just the most recent example of “8-K confusion;” previous reports from law firms have identified many others.
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
Why Does the Type of 8-K Matter?
Aside from raising questions about corporate governance and potentially causing stock volatility (for example, if investors initially believe the breach was more serious than it was), filing premature cyber 8-Ks could impact the perception of a firm’s risk by cyber insurers, as well as providing fodder for litigators who often jump on disclosures to launch lawsuits for affected customers.
Related Posts
