An Update on the SECs Cybersecurity Reporting Rules

pAs we pass the twomonth anniversary of the effectiveness of the US Securities and Exchange Commissions SECs Form 8K cybersecurity reporting rules under new Item 105 this blog post provides a highlevel summary of the filings made to dateppppSix companies have now made Item 105 Form 8K filings Three of these companies also have amended their first Form 8K filings to provide additional detail regarding subsequent events The remainder of the filings seem selfcontained such that no amendment is necessary but these companies may amend at a later date In general the descriptions of the cybersecurity incidents have been written at a high level and track the requirements of the new rules without much elaboration It is interesting but perhaps coincidental that the filings seem limited to two broad industry groups technology and financial services In particular two of the companies are bank holding companiesppAlthough several companies have now made reports under the new rules the sample space may still be too small to draw any firm conclusions or decree what is market That said several of the companies that have filed an 8K under Item 105 have described incidents and circumstances that do not seem to be financially material to the particular companies We are aware of companies that have made materiality determinations in the past on the basis of nonfinancial qualitative factors when impacts of a cyber incident are otherwise quantitatively immaterial but these situations are more the exception than the ruleppThere is also a great deal of variability among the forwardlooking statement disclaimers that the companies have included in the filings in terms of specificity and detail Such a disclaimer is not required in a Form 8K but every company to file under Item 105 to date has included one We believe this practice will continueppSince the effectiveness of the new rules a handful of companies have filed Form 8K filings to describe cybersecurity incidents under Item 801 Other Events instead of Item 105 These filings have approximated the detail of what is required under Item 105 It is not immediately evident why these companies chose Item 801 but presumably the companies determined that the events were immaterial such that no filing under Item 105 was necessary at the time of filing Of course the SEC filing is one piece of a much larger puzzle when a company is working through a cyber incident and related remediation It remains to be seen how widespread this practice will become To date the SEC staff has not publicly released any comment letters critiquing any Form 8K cyber filing under the new rules but it is still early in the process The SEC staff usually but not always makes its comment letters and company responses to those comment letters public on the SECs EDGAR website no sooner than 20 business days after it has completed its review With many public companies now also making the new Form 10K disclosure on cybersecurity we anticipate the staff will be active in providing guidance and commentary on cybersecurity disclosures in the coming yearppCookie Settingsp