Blogs

Paul Hastings’ analysis of 75 Form 8-K cybersecurity incident disclosures made by 48 companies pursuant to the SEC’s new cybersecurity disclosure rule since the December 18, 2023, effective date of the rule through October 31, 2024, revealed these—among other—trends to date:

• Notwithstanding the fact that the Form 8-K filing deadline is triggered by a materiality determination, 32% of filings have been made within four days from discovery/detection of a cybersecurity incident and an additional 46% of filings have been made between five and eight days from detection / discovery.
• Fewer than 10% of companies specified the material impact of the cybersecurity incident in their disclosures.
• Following SEC Staff guidance regarding the objective of Item 1.05 and ransomware materiality in May and June 2024, respectively (which we reported on here and here, respectively), Item 1.05 Form 8-K filings declined in prevalence significantly while the number of Item 8.01 Form 8-K fillings increased (as expected).
• By sector, Financial Services companies led in Form 8-K cybersecurity incident disclosures, followed by Industrials, Healthcare, and Technology company filings (in descending order of prevalence).
• Three-quarters of filings referenced the company’s notification of law enforcement regarding the incident.
• More than 40% of companies filed multiple disclosures for the same incident, most commonly via an updated Form 8-K.

Access additional resources on our Cybersecurity/Data Privacy page.

                              This post first appeared in the weekly Society Alert!