Listen to this post

Background

In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring public companies to report material cybersecurity incidents under new Item 1.05 of Form 8-K beginning on December 18, 2023. Our intent with this snapshot is to review the first year of cybersecurity disclosures on Form 8-K.

Tracking the Filings

From the start date of the new rule, Wilson Sonsini has been tracking Form 8-K filings for disclosure of cybersecurity incidents as well as for any effect of the SEC’s guidance on the filings. We have reviewed not only mandatory filings made under new Item 1.05 but also voluntary filings under Items 7.01 and 8.01. Based on our internal data, from December 18, 2023, through January 19, 2025, there have been 55 cybersecurity incidents reported on Form 8-K by 54 companies. One company reported two separate events.  

In total, there were 80 filings, of which:

  • 51% were under Item 1.05 (41 filings)
  • 43% were under Item 8.01 (34 filings)
  • 6% were under Item 7.01 (five filings)

Approximately one-third of the companies filed more than one Form 8-K for the same incident, although most of those filed only one amendment or update. Of the total of 19 amendments, approximately 74% (14 filings) were first amendments and 26% (five filings) were second amendments. There were seven additional filings that were not labeled as amendments but were updates to prior filings. Of those, four were for companies that had not otherwise filed an amendment.

In total, there were 15 amendments filed under Item 1.05 and four amendments filed under Item 8.01. Of the seven additional filings that were not labelled as amendments but were updates to prior filings, three were filed under Item 1.05 and two under each of Item 8.01 and Item 7.01.

Types of Incidents Reported

Almost all the filings stated that the company was investigating the incident or was continuing to investigate the incident. The seven filings that did not were amendments or updates stating that the investigation was complete. Approximately 63% of companies mentioned notifying law enforcement, usually in their first filing. Less than 10% of companies (five companies) disclosed a site such as a blog or press release that would include further information or updates on the incident.

Of the 55 cybersecurity incidents reported, among the most common disclosures were:

  • an attack on a company’s operational technology (55% or 30 incidents)
  • theft of corporate data (40% or 22 incidents)
  • acquisition of/access to consumer data other than health data (33% or 18 incidents)
  • an incident occurring at a third party (26% or 14 incidents)
  • ransomware (18% or 10 incidents, none of which mention ransomware outright but signal it by stating that data was encrypted and, in some cases posted externally, although one uses the word ransomware in a further information blog referenced in the Form 8-K)

Other disclosures were less frequent, including:

  • unlawful access or disclosure of personal health data (9% or five incidents)
  • security vulnerability or supply chain attacks (7% or four incidents)
  • nation-state adversary or advanced persistent threats (6% or three incidents)
  • other ransom demands (4% or two incidents)
  • financial theft (4% or two incidents)
  • internal misuse or insider threat (4% or two incidents)

None of the filings involved denial of service (e.g., DDOS, defacement or other non-ransomware denials of service), terrorism, or cyber material weakness. 

Materiality and Quantification

Of the total of 80 filings, only approximately 14% (11 filings representing nine incidents) stated that the incident was determined to be material in some respect. Four of the filings referred to materiality to business operations and seven of the filings referred to materiality to the quarterly financial results.

In 33% of filings (26 filings), the company stated that the cybersecurity incident was immaterial. In 28% (22 filings), the company stated that it was undetermined as to whether the incident was material or immaterial as of the time of the filing. In one-quarter of the filings (20 filings), the company stated that the incident was a mixture of immaterial and not determined. One filing did not mention materiality or state a determination.

Most companies did not quantify the effect of the incident, with only approximately 15% (eight companies) providing either dollar estimations or estimations of individuals impacted by the incident. Although the eight companies that quantified the effect roughly correlates to the nine material incidents, it was not always the case that a material incident was quantified, and an immaterial incident was not quantified. On the contrary, fully half of the companies that quantified the incident also deemed the incident immaterial or had not determined materiality. Only four of the nine material incidents were quantified.

Effect of SEC Guidance

After five months of Form 8-K cybersecurity disclosure, the SEC’s Division of Corporation Finance (Corp Fin) issued guidance on this disclosure. In May 2024, Erik Gerding, then-Director of Corp Fin, released a statement (the Statement) reiterating that the new item was to be used only when the incident is material and noting that a cybersecurity incident for which a company has not yet made a materiality determination or has determined was not material does not trigger a reporting obligation under Item 1.05. The Statement suggested that companies may voluntarily file a Form 8-K under Item 8.01 or another item for such incidents. In June 2024, Corp Fin also issued five new Compliance and Disclosure Interpretations (CDIs) focusing on the materiality determination required under Item 1.05 of Form 8-K. 

The Statement and CDIs appear to have had an effect on how companies report cybersecurity incidents. In general, the SEC’s guidance led to fewer Item 1.05 filings and more Item 8.01 filings.

Before the Statement, approximately:

  • 72% of the filings were under Item 1.05 (26 filings)
  • 28% of the filings were under Item 8.01 (seven filings) or Item 7.01 (three filings)

After the Statement, the relative percentages almost reversed, and the majority of cybersecurity Form 8-Ks were filed under either Item 8.01 or Item 7.01:

  • 66% of the filings were made under Item 8.01 (27 filings) or Item 7.01 (two filings)
  • 34% of the filings were made under Item 1.05 (15 filings)

In total, 63% of the Item 1.05 Form 8-Ks were filed before the Statement (26 filings before versus 15 after), and 80% of the Item 8.01 Form 8-Ks were filed after the Statement (27 after the Statement versus seven before). Item 7.01 filings were about even (three before and two after).

More amendments (63%) were filed prior to the Statement, with only 37% (seven) of the 19 amendments filed after the Statement. In contrast, most of the updates not labelled as amendments were filed after the Statement (six of the seven).

Days to File

The average number of days between the date of detection and the date of the first filing was approximately 12 days, although seven companies did not disclose a date of detection. The average number of days between the date of detection and the date of the earliest event reported on the cover of the Form 8-K was slightly higher at approximately 15 days. The average number of days since the previous filing in the case of an amendment was approximately 32 days.

Although the required four-day filing date for Item 1.05 Form 8-Ks runs from the date of determination of materiality and not detection, half of the companies made their first filing (regardless of the item under which the incident was filed) within four days of detection (applying for this purpose the SEC rule regarding not filing on holidays or weekends).

Types of Companies Filing

Based on the SEC’s standard industrial classification, 31.5% of the companies filing Forms 8-K were in Trade and Services, followed by Finance (18.5%), Technology (14.8%), Industrial (14.8%), Manufacturing (13%), Energy and Transportation (5.6%), and Real Estate and Construction (1.9%).

National Security or Public Safety Exception

AT&T’s July 12, 2024, Form 8-K was filed 84 days after detection. AT&T noted, however, that the U.S. Department of Justice had agreed to the delay in filing under Item 1.05(c) as there was a substantial risk to national security or public safety. AT&T is the only company of which we are aware to use this provision.