Debevoise & Plimpton’s analysis of the Item 1.05 Form 8-K disclosures made by 11 companies pursuant to the SEC’s new cybersecurity disclosure rule since the December 18, 2023, effective date of the rule through March 28 revealed these trends to date:
- Notwithstanding the fact that the Form 8-K filing deadline is triggered by a materiality determination, the average time from detection of a cybersecurity incident to the Item 1.05 Form 8-K disclosure has been just 5.45 business days. Eight of the 11 companies filed within four business days of detecting the cybersecurity incident.
- Nine of 11 companies did not identify a material impact as a result of the incident, signaling potential voluntary disclosure of immaterial incidents, a lack of adherence to the Item 1.05 disclosure requirements, or a different gauge or standard for determining materiality.
- Eight of 11 companies disclosed that they had not, or had not yet, determined that the cybersecurity incident was reasonably likely to materially impact their financial condition or results of operations. (Upon making a materiality determination, Item 1.05 requires companies to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the [company], including its financial condition and results of operations.”)
- Six of 11 companies disclosed an operational disruption as a result of the incident.
- Five of 11 companies disclosed that the incident resulted in access to or a loss of sensitive data.
- Four of 11 companies identified a suspected threat actor.
- Including the Form 8-K/A filed by SouthState (reported in this week's Society Alert), six of the 11 companies have filed amendments to their Form 8-Ks.
Based on its analysis of the filing data relative to the rule requirements, the firm advises companies to—among other things—be cautious in making disclosure prematurely.