Tag: Form 8-K Item 1.05
A few interesting items from the CCR proxy disclosure conference
Here are a few interesting snippets regarding shareholder proposals and Item 1.05 Form 8-K from this week’s 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences from CCR Corp. On the panels, the watchword of the day seemed to be consistency—given that some topics are increasingly required to be discussed in more than one SEC filing, location or context (e.g., cyber disclosures in the proxy and 10-K), the panelists urged the audience to make sure that the disclosures were consistent with each other and that the discussions of policies, charters and procedures were consistent with company’s conduct.
New Cooley Alert: SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective Software Update
As you know, the recent CrowdStrike defective software update caused massive and, in some cases, systemic failures to computers and networks of CrowdStrike’s customers running certain Microsoft operating systems. If your company was affected by the CrowdStrike server-related outages, you will certainly want to review this new Cooley Alert, SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective Software Update from our Cyber/Data/Privacy and our Public Companies Groups.
Corp Fin issues new CDIs on cybersecurity incident disclosure
Corp Fin has just issued a new set of CDIs under Form 8-K, Item 1.05, Material Cybersecurity Incidents. The SEC adopted final rules regarding cybersecurity disclosure in 2023, requiring companies “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” Under the final rules, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The materiality determination regarding a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. To the extent that the required information has not been determined or is unavailable at the time of the required filing, the company is required to include a statement to that effect in the filing and then file an amendment to its Form 8-K containing that information within four business days after the company, without unreasonable delay, determines the information or the information becomes available. (See this PubCo post.) Generally, the new CDIs address Form 8-K Item 1.05 filings in the context of cybersecurity incidents that involve ransomware attacks that result in a disruption in operations or the exfiltration of data. Summaries are below, but each CDI number below is linked to the CDI on the SEC website, so you can easily read the version in full.
Corp Fin Director issues statement regarding sharing information about cybersecurity incidents
Yesterday, Corp Fin Director Erik Gerding issued a new statement, Selective Disclosure of Information Regarding Cybersecurity Incidents. As you know, last year the SEC adopted new rules regarding cybersecurity disclosure, including requirements for both material incident reporting on Item 1.05 of Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. (See this PubCo post.) Gerding’s new statement is designed to disabuse companies of the idea that the new rules preclude them from discussing information about a material cybersecurity incident with others, including their commercial counterparties, beyond the information included in the Form 8-K. Gerding assures us that “[t]hat is not the case.” But while the new rules may not prohibit disclosure, what about Reg FD?
Statement of Corp Fin Director on reporting cybersecurity incidents on Form 8-K
Yesterday, Corp Fin Director Erik Gerding issued a statement designed to clarify the use of Form 8-K Item 1.05 versus Form 8-K Item 8.01 when reporting cybersecurity incidents. Sounds like some of us might be doing it incorrectly—or at least sub-optimally—potentially resulting in investor confusion. Gerding’s statement is designed to set us straight. He also offers a little guidance about making materiality determinations regarding cybersecurity incidents.
Corp Fin adds one more new CDI on Form 8-Ks for material cybersecurity incidents
A few days ago, Corp Fin issued three new CDIs relating to delays in reporting material cybersecurity incidents on Form 8-K. Those CDIs, together with the Department of Justice Material Cybersecurity Incident Delay Determinations, addressed questions related to the Attorney General’s determination—or not—that disclosure of the incident on Form 8-K would pose a substantial risk to national security or public safety. (See this PubCo post.) Yesterday afternoon, Corp Fin added a new CDI on a closely related topic—the impact of a DOJ consultation on a determination, for reporting purposes, about the materiality of the incident itself. As Corp Fin Director Erik Gerding observed in a speech yesterday on cybersecurity disclosure, the CDI was intended to ensure that companies are not deterred from consulting with the DOJ or other national security agencies. The new CDI can be found under the caption Exchange Act Forms, in Section 104B, Item 1.05 Material Cybersecurity Incidents. A summary is below, but the CDI number is linked to the CDI on the SEC website, so you can easily read the version in full.
Corp Fin issues new CDIs on delaying Form 8-Ks for material cybersecurity incidents
Corp Fin has just released some new CDIs, summarized below, relating to material cybersecurity incidents. As you know, in July, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure, which includes a requirement for material incident reporting on Forms 8-K and 6-K. Compliance with the 8-K and 6-K incident disclosure requirements will be required for all companies other than smaller reporting companies beginning on December 18, 2023. SRCs will have an additional 180 days deferral. (See this PubCo post.) The new CDIs can all be found under the caption Exchange Act Forms, in a new Section 104B, Item 1.05 Material Cybersecurity Incidents. Summaries are below, but each CDI number is linked to the CDI on the SEC website, so you can easily read the version in full.
Compliance dates for SEC cybersecurity disclosure rules
As you know, the SEC adopted final rules on cybersecurity disclosure on July 26, with compliance dates tied to publication in the Federal Register. (See this PubCo post.) Those rules were published on August 4 with compliance dates spelled out in the published release.
SEC adopts final rules on cybersecurity disclosure [UPDATED]
[This post revises and updates my earlier post primarily to provide a more detailed discussion of the contents of the adopting release.]
At an open meeting on Wednesday last week, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. In his statement at the open meeting, Commissioner Jaime Lizárraga shared the stunning statistics that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade and total costs across the U.S. economy could run as high as trillions of dollars per year. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. Although a number of changes to the proposal were made in the final rules in response to objections that the proposal was too prescriptive and could increase companies’ vulnerability to cyberattack, the basic structure remains the same, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC adopts final rules on cybersecurity disclosure
In remarks to the audience at a Financial Times summit earlier this month, Gurbir Grewal, SEC Director of Enforcement, citing a recent poll from Deloitte, observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.” (See this PubCo post.) Similarly, in remarks in January 2022, SEC Chair Gary Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. And, in his statement at the SEC open meeting yesterday morning, Commissioner Jaime Lizárraga shared the eye-opening stats that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. At an open meeting yesterday morning, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. Although a number of changes to the proposal were made in response to comments, the basic structure remains the same in the final rules, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
You must be logged in to post a comment.