ANALYSIS: Companies Take Conservative Approach to New SEC Rules

Last December, the newly adopted SEC cybersecurity rule went into effect, requiring public companies to file a Form 8-K, Item 1.05 within four business days after determining that a material cyberattack—one that had a “material” impact on a company’s finances—has occurred.

Commenters during the rulemaking process expressed concerns that the four-day timeline put too much pressure on companies to disclose incidents, and that the lack of a clear definition of a material cyberattack left compliance requirements up in the air. The first filings have started rolling in, and companies don’t appear to be hesitant to disclose incidents.

The filings further indicate that companies are taking a more conservative approach to mandatory disclosures—meaning they are filing shortly after the occurrence of a cybersecurity incident, often before determining whether the incident is material.

Of the 10 companies that submitted 8-K forms under the new rule between Dec. 18 and March 15, seven were unsure whether the incident was material.

Only one company, VF Corp., explicitly stated in the filing that the incident had a material impact. Companies may be using the new disclosure requirements to placate stakeholder concerns following adverse cybersecurity incidents.

Prior to the rule, companies used Item 8.01 to report cybersecurity incidents. There were 12 8-K filings made under Item 8.01 that mentioned cybersecurity incidents from the same timeframe last year. For 2022, this number was two; it was one for both 2021 and 2020; and zero for 2019.

The four-business-day timeline hasn’t shown itself to be too much of a roadblock for these companies either. Half of the Item 1.05 filings were made within four business days of an attack, and most were made even without a finding of materiality. Hewlett Packard is the outlier, filing an 8-K 32 business days after a cybersecurity incident.

If Hewlett Packard doesn’t get targeted by SEC enforcement, this delay in filing could set the bar for other companies in defining what a “reasonable time” is between incident and disclosure.

For access to practical guidance relating to cyber governance, visit Bloomberg Law’s Cyber Governance Toolkit page.

Bloomberg Law subscribers can find a variety of Practical Guidance documents, workflow tools, and reference materials for general corporate governance in our Corporate Governance Practice Center resource.

If you’re reading this article on the Bloomberg Terminal, please run BLAW OUT <GO>to access the hyperlinked content or click here to view the web version of this article.