Lessons Learned: One Year of Form 8-K Material Cybersecurity Incident Reporting
View Debevoise In Depth
Key Takeaways:
- Since the SEC’s rule requiring disclosure of material cybersecurity incidents became effective in December 2023, companies have grappled with the decision of whether to file a Form 8-K in the wake of a cybersecurity incident.
- Following a statement by the Director of the SEC’s Division of Corporation Finance in May 2024, there has been a clear trend of companies disclosing non-material cybersecurity incidents under Item 8.01 of Form 8-K instead of Item 1.05, reserving the use of Item 1.05 of Form 8-K for cybersecurity incidents determined to have had, or which are reasonably likely to have, a material impact on a company’s business.
- Over the course of 2024, the SEC issued several comment letters regarding the scope of Form 8-K disclosure, encouraging more detailed disclosure of the material impacts of cybersecurity incidents.
- After several years of novel and aggressive enforcement relating to cybersecurity disclosures, the SEC's approach to cybersecurity enforcement may change under the new administration, as the SEC faces competing priorities which may divert focus and resources away from cybersecurity initiatives.