Blogs

Wilson Sonsini’s analysis of 80 Form 8-K cybersecurity incident disclosure filings made by 54 companies pursuant to the SEC’s new cybersecurity disclosure rule since the December 18, 2023, effective date of the rule through January 19, 2025, revealed these—among other—trends to date:

• Of 80 filings, 51% were filed under Item 1.05; 43% were filed under Item 8.01; and 6% were filed under Item 7.01, with approximately 33% of companies filing more than one Form 8-K for the same incident.
• Of 55 total incidents reported, 55% disclosed an attack on the company’s operation technology, while 40% disclosed theft of corporate data. Another one-third disclosed acquisition of/access to consumer data other than health data and just over one-quarter disclosed an incident occurring at a third party, while 18% used language that implied the occurrence of a ransomware incident.
• Notwithstanding the fact that the Form 8-K filing deadline is triggered by a materiality determination, half of companies made their initial filings within four business days of detection of a cybersecurity incident. For those companies that disclosed a detection date, the gap between detection and first filing averaged 12 days.
• Fewer than 15% of companies (11 filings) specified the material impact of the cybersecurity incident in their disclosures—seven referencing materiality to the company’s quarterly financial results and four referencing materiality to business operations.
• Following SEC Staff guidance regarding the purpose of Item 1.05 and ransomware materiality in May and June 2024 (which we reported on here and here, respectively), Item 1.05 Form 8-K filings declined in prevalence from 72% to 34% of all filings.
• By sector, Trade and Services companies led in Form 8-K cybersecurity incident disclosures, followed by Finance, Technology, Industrial, Manufacturing, Energy and Transportation, and Real Estate and Construction (in descending order of prevalence).
• Just one company is known to have referenced its reliance on the rule’s National Security or Public Safety Exception.

Access additional resources on our Cybersecurity/Data Privacy page.

                         This post first appeared in the weekly Society Alert!