Corporate Cyber Incident Reporting Is Missing the Mark

The SEC Cyber Rule requires public companies to report “material” cyber incidents in the newly established Item 1.05 in Form 8-K. The SEC adopted the rule last year in light of the increase in corporate cyberattacks.

Since the rule’s enactment, however, companies have largely reported cyber incidents that aren’t necessarily material. As a result, the SEC in May issued a clarifying statement on proper disclosure procedure.

Reporting under Item 1.05 should be reserved for material cyber incidents, while any other voluntary disclosure of a cyber incident—regardless of its materiality—should fall under Item 8.01 (Other Events), the SEC said.

Prior to the rule taking effect, companies would disclose a cyberattack or related events to shareholders through an Item 8.01 filing. An analysis of a Bloomberg Law EDGAR Advanced Search of Item 8.01 filings uncovered 68 cyber incidents reported between 2018 and 2023, prior to the new rule’s effective date.

How successful are companies in properly leveraging Form 8-K, Item 1.05 to report material cyber incidents since the new rule took effect in December? Not very, based on the filings.

An EDGAR Advanced Search identified 17 Item 1.05 cyber incident filings and only one Item 8.01 filing related to a cyber event.

Interestingly, the first Item 1.05 filed after the SEC Cyber Rule took effect was the sole filing reporting a material cyber incident. The subsequent filings reported that their cyber incidents were not likely material, except for one filing that only stated that the materiality was not determined at that date of filing.

All but one filing stated that the investigation into the cyber incident was ongoing. Ultimately, companies appear to be eager to report cybersecurity events, but the filings mostly don’t offer any substantial context of the cyber incident for shareholders, which was the SEC’s primary intent for the rule.

GENERATE THE DATA

To replicate the research that was used for this article:

1. Visit Bloomberg Law’s EDGAR Advanced Search and click on “Search EDGAR Filings.” (Bloomberg Terminal subscribers: Run BLAW OUT <GO> and search “EDGAR Search”.)

EDGAR Advanced Search is a tool that permits users to research and retrieve the filings made to the SEC’s EDGAR filing system using a broad array of filters and search terms.

2. Select the tab for 8-K Items*.

3. In the ITEMS section, click on the “Browse Full List.”

4. Click the arrow to drop down the “Section 1 Registrant’s Business and Operations” (or Section 8 Other Events). Select “Item 1.05 Material Cybersecurity Incidents” (or Item 8.01 Other Events) and click Search at the bottom right corner of the screen.

5. Download the records into a spreadsheet format by clicking the download icon above the list of results. Select “Download Results List.”

6. In the pop-up box that appears, make sure that the Hyperlinks option is selected under the CONTENT INCLUDED section and that OUTPUT FORMAT is “Excel.”

The resulting spreadsheet file can be used to analyze Form 8-K, Item 1.05 filings of material cyber incidents.

The same process can be used to retrieve any Form 8-K, Item 8.01 Other Events filings related to a cybersecurity incident if the search feature is utilized. Enter phrases and search terms in the KEYWORDS field to capture filings related to cybersecurity incidents.

The resulting spreadsheet file can be used to analyze related Item 8.01 filings reporting any cybersecurity attack or similar event, such as ransomware or data breach.

Bloomberg Law subscribers can find a variety of Practical Guidance documents, workflow tools, and reference materials for corporate counsel and cyber governance on our Cyber Governance Toolkit as well as our Corporate Governance and Privacy & Data Security practice pages.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT in order to access the hyperlinked content or click here to view the web version of this article.