Tag: cybersecurity incident disclosure

Corp Fin issues new CDIs on cybersecurity incident disclosure

Corp Fin has just issued a new set of CDIs under Form 8-K, Item 1.05, Material Cybersecurity Incidents.  The SEC adopted final rules regarding cybersecurity disclosure in 2023, requiring companies “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”   Under the final rules, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The materiality determination regarding a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. To the extent that the required information has not been determined or is unavailable at the time of the required filing, the company is required to include a statement to that effect in the filing and then file an amendment to its Form 8-K containing that information within four business days after the company, without unreasonable delay, determines the information or the information becomes available. (See this PubCo post.) Generally, the new CDIs address Form 8-K Item 1.05 filings in the context of cybersecurity incidents that involve ransomware attacks that result in a disruption in operations or the exfiltration of data. Summaries are below, but each CDI number below is linked to the CDI on the SEC website, so you can easily read the version in full.