Key Takeaways
- Form 8-K Item 1.05 requires disclosure within four business days of the date a public company determines a cybersecurity incident is material. The clock runs from the materiality determination, not from discovery of the incident. Companies that delay the determination to defer the filing deadline face SEC scrutiny and class action exposure.
- Regulation S-K Item 106 requires annual disclosure of the company's cybersecurity risk management processes, the role of the board and management in overseeing cyber risk, and whether any material incidents occurred during the fiscal year. These disclosures must be consistent with prior 8-K filings and with the MD&A treatment of any cyber-related costs or liabilities.
- In an active M&A transaction, a material cybersecurity incident at either the buyer or the target may require immediate amendment of the merger proxy or registration statement. Counsel must coordinate the incident response timeline with the transaction schedule, the merger agreement's notification covenants, and the SEC's filing deadlines simultaneously.
- Class action plaintiffs' counsel routinely scrutinize post-incident 8-K disclosures for inconsistencies with prior risk factor representations and for gaps between the disclosed scope of an incident and the scope that later becomes publicly known. The PSLRA safe harbor offers limited protection for 8-K incident disclosures because they are statements of historical fact, not forward-looking statements.
The Securities and Exchange Commission's cybersecurity disclosure rules, adopted in July 2023 and effective for most reporting companies beginning in December 2023, fundamentally changed the legal obligations of public companies when a cybersecurity incident occurs. The rules operate on two tracks. Form 8-K Item 1.05 imposes an incident-specific, time-sensitive reporting obligation: once a company determines that a cybersecurity incident is material, it has four business days to file a public disclosure. Regulation S-K Item 106 imposes an annual obligation: each 10-K must include a detailed description of the company's cybersecurity risk management program, its governance structure for overseeing cyber risk, and whether any material incidents occurred during the fiscal year.
In a public company M&A transaction, these obligations do not pause. A buyer conducting diligence on a target is simultaneously managing its own periodic reporting obligations. A target approaching a shareholder vote on a merger is simultaneously subject to the 8-K trigger if a material incident occurs before closing. A combined company that acquires a target with an undisclosed pre-closing cyber incident may face post-closing disclosure obligations, class action exposure, and regulatory scrutiny that the buyer did not anticipate when it signed the merger agreement.
This sub-article is part of the Cybersecurity and Data Breach Diligence in M&A: A Practical Playbook for Buyers and Sellers. It covers the full scope of the SEC's cyber disclosure framework as it applies to public company transactions: the structure and content of the 8-K Item 1.05 obligation, the materiality standard, the national security delay exception, the Item 106 annual disclosure requirements, board and management governance disclosures, disclosure working group composition and operation, integration of target incidents into buyer disclosures, proxy and merger document obligations, the NYDFS and EU NIS2 parallel regimes, and the class action exposure that flows from inadequate disclosure. Nothing in this article constitutes legal advice for any specific transaction.
The 2023 SEC Cyber Disclosure Framework
The SEC adopted its cybersecurity disclosure rules on July 26, 2023, following years of enforcement activity under existing disclosure principles and a 2022 proposed rulemaking. The final rules created two distinct disclosure obligations that operate on different timelines but must be consistent with each other.
The first obligation is event-driven. Form 8-K Item 1.05 requires a reporting company to disclose within four business days of determining that a cybersecurity incident is material. The 8-K must describe the material aspects of the nature, scope, and timing of the incident and its material impact or reasonably likely material impact on the company. Critically, the rule does not require the company to have completed its investigation before filing. It requires disclosure of what is known at the time of the materiality determination, with subsequent 8-K/A amendments as additional material information becomes available.
The second obligation is periodic and annual. Regulation S-K Item 106, added to Form 10-K, requires companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, whether those processes are integrated with the company's overall risk management framework, and whether and how the company uses third-party service providers or assessors in its risk management program. Item 106 also requires disclosure of the board's oversight role and management's role in assessing and managing cybersecurity risks. Both the 8-K and the 10-K disclosures must be drafted and maintained with awareness of each other: inconsistencies between the risk management processes described in the 10-K and the company's actual response to an 8-K incident are a persistent source of regulatory and litigation exposure.
The rules apply to all reporting companies under the Exchange Act, including accelerated filers, large accelerated filers, smaller reporting companies, and emerging growth companies, though smaller reporting companies had an extended compliance date. Foreign private issuers face a modified framework under Form 20-F and Form 6-K that does not include the four-day 8-K trigger but does incorporate the annual risk management and governance disclosure requirements.
Form 8-K Item 1.05: Trigger and Content
Item 1.05 of Form 8-K is triggered not by the occurrence of a cybersecurity incident but by the company's determination that the incident is material. This structure is deliberate: it places the disclosure obligation at the moment of decision rather than at the moment of discovery, and it imports the existing body of securities law on materiality to define the threshold for disclosure.
The content of the Item 1.05 filing must describe: the material aspects of the nature of the incident; the scope of the incident; the timing of the incident; and the material impact, or reasonably likely material impact, on the company's financial condition and results of operations. The SEC's adopting release makes clear that the company is not required to disclose specific technical details of its cybersecurity systems, the vulnerability exploited, or information that would impede the company's response or remediation. The disclosure standard is materiality to investors, not technical completeness for incident response purposes.
If the company cannot determine all the required information within four business days of the materiality determination, it must file the 8-K with what it knows and then file an 8-K/A as material additional information becomes available. This phased disclosure approach requires careful judgment: the initial 8-K must contain enough information to satisfy the materiality and investor-relevance standards, while later amendments must update the prior disclosure as the investigation yields additional facts about the scope, origin, or financial impact of the incident.
The 8-K must be filed under Item 1.05 specifically, not under Item 8.01 (the catch-all "other events" item). The SEC made this distinction explicit to ensure that material cybersecurity incident disclosures are identifiable to investors and that failure to file under Item 1.05 cannot be excused by the existence of an Item 8.01 filing describing the same incident. Companies that filed cyber disclosures under Item 8.01 before the effective date of the new rules needed to migrate to Item 1.05 for any incident determination made after the compliance date.
The Four-Day Clock and What Resets It
The four business day clock begins running when the company determines that the incident is material. Business days exclude Saturdays, Sundays, and federal holidays. A determination made on a Friday afternoon starts a clock that runs through the following Thursday close of business, assuming no intervening holidays. This timeline is tighter in practice than it appears on paper because the 8-K must be drafted, reviewed by counsel, reviewed by the disclosure committee, signed by a senior officer, and filed through the EDGAR system before the deadline.
The question of what constitutes the materiality "determination" is not self-defining. The SEC's adopting release indicates that a company should make a materiality determination "without unreasonable delay" once it has gathered the information necessary to evaluate whether the incident crosses the materiality threshold. Companies cannot delay convening the disclosure committee, defer legal review, or extend the investigation without a good-faith factual basis for believing that additional time is necessary to assess materiality accurately. A pattern of extended investigations that consistently conclude on Day 4 after discovery, just before the four-day period would expire, is the kind of fact pattern that invites SEC inquiry.
The clock does not reset if the company later determines that the incident was more severe than initially understood. Once the materiality determination is made and the 8-K is filed, subsequent material developments require an 8-K/A amendment rather than a new Item 1.05 filing with a new clock. However, if a company initially determines an incident is not material and later, as the investigation progresses, determines that it is material, the four-day clock begins running from that later materiality determination, and the company should document clearly why the earlier assessment did not reach the materiality threshold.
Companies should prepare template 8-K disclosure language and internal escalation procedures in advance so that the drafting and review process can be compressed when an incident occurs. The four-day period is insufficient to draft, negotiate, and file a complex disclosure for the first time. Companies that have pre-positioned their disclosure infrastructure consistently meet the deadline more reliably than those that treat the 8-K as a document to be drafted from scratch under pressure.
Materiality Determinations Under the Rule
The materiality standard for Item 1.05 is the TSC Industries/Basic Inc. standard that governs securities disclosure generally: a fact is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if the information would significantly alter the total mix of available information from a reasonable investor's perspective. The SEC did not create a cyber-specific materiality standard; it applied the existing framework to a new category of event.
In the cyber context, a materiality analysis typically considers both quantitative and qualitative factors. Quantitative factors include the financial cost of remediation, the revenue impact of operational disruption, the cost of regulatory notifications and potential fines, and the estimated cost of third-party liability from data exposure. Qualitative factors include the sensitivity of the data compromised, the type of systems affected (customer-facing versus internal), the potential for reputational damage, the scope of regulatory inquiry, the effect on customer or counterparty relationships, and whether the incident suggests a systemic vulnerability in the company's security infrastructure rather than a one-time event.
The materiality determination must be made by an appropriate level of the company's management, typically the Chief Information Security Officer, General Counsel, Chief Financial Officer, and disclosure committee, acting collectively. It should be documented in writing at the time it is made, including the facts known at that time, the factors considered, the conclusion reached, and the basis for the conclusion. A well-documented materiality analysis protects the company in both SEC enforcement proceedings and securities litigation by demonstrating that the determination was made in good faith based on the information available at the time.
Companies should resist the temptation to treat the materiality threshold as a binary on/off determination. In practice, many incidents fall in a gray zone where materiality is uncertain. In those cases, counsel often advises that the company should continue its investigation, document the basis for its preliminary assessment that the incident is not yet determined to be material, and set clear internal milestones for re-evaluating materiality as the investigation progresses. The decision not to file an 8-K carries its own risk: if the incident later proves material and the company's failure to make a timely materiality determination appears to have delayed the filing, the company faces both enforcement exposure and a weak factual record for its defense.
National Security Delay Exception and DOJ Process
The SEC's rules include a limited exception to the four-day disclosure deadline when the Attorney General of the United States determines that immediate public disclosure would pose a substantial risk to national security or public safety. The exception is narrow and procedurally specific: it is not available simply because an incident involves a government contractor or touches a regulated sector.
The process begins when the company notifies the Department of Justice that disclosure of a material cybersecurity incident may implicate national security or public safety concerns. The company must make this notification promptly, before the four-day period expires, so that the DOJ can evaluate the request and, if appropriate, make a referral to the SEC. If the Attorney General determines that immediate disclosure poses a substantial risk, the AG notifies the SEC, and the SEC may allow additional time for the disclosure. The initial delay may be for up to 30 days, with additional extensions possible if the AG certifies that the risk persists.
The company must still file the 8-K once the delay period expires or the national security concern is resolved. The exception delays disclosure; it does not eliminate the obligation. During the delay period, the company must maintain the confidentiality of the incident and its disclosure status, and must not make selective disclosures to third parties that would create an informational asymmetry in the market for its securities.
Companies in defense contracting, critical infrastructure (including energy, financial services, and telecommunications), and government services are the most likely candidates for national security delay requests. These companies should have pre-established contacts within the DOJ's National Security Division and should understand the process for initiating a national security referral before an incident occurs. The delay exception is not a general mechanism for managing the timing of embarrassing disclosures; it is a narrow national security tool that will be used rarely and that requires genuine involvement from the DOJ to be available.
Regulation S-K Item 106 Annual Disclosures
Item 106 of Regulation S-K requires annual disclosure in the Form 10-K of the company's cybersecurity risk management and strategy. The required disclosures cover three areas: the processes the company uses to assess, identify, and manage material risks from cybersecurity threats; whether those processes are integrated with the company's overall enterprise risk management framework; and whether the company has engaged third-party service providers to assist in its cybersecurity risk management program, including assessors, consultants, auditors, or managed security service providers.
The risk management disclosure must be substantive and specific to the company's actual practices. Generic boilerplate that describes cybersecurity risks in the abstract without tying them to the company's specific systems, industry, or threat environment does not satisfy the rule. The SEC staff has commented on Item 106 disclosures that describe risk management processes at a high level without explaining how those processes are implemented, who is responsible for them, what standards or frameworks the company uses (such as NIST, ISO 27001, or the CIS Controls), and how the program has evolved in response to identified vulnerabilities or prior incidents.
If a material cybersecurity incident occurred during the fiscal year, Item 106 requires the company to disclose whether any such incidents have materially affected or are reasonably likely to materially affect the company's business strategy, results of operations, or financial condition. This requires coordination between the Item 1.05 disclosure team and the 10-K drafting team to ensure that the annual disclosure is consistent with prior 8-K filings and does not inadvertently add new material information about an incident that should have been disclosed in an 8-K/A. Companies that experienced multiple incidents during the year, or a single incident whose impact evolved over several quarters, face particular complexity in presenting a consistent annual narrative.
Item 106 does not require the company to quantify the dollar cost of its cybersecurity program or to provide technical specifications of its security controls. The objective is investor-oriented disclosure about the company's approach to managing cyber risk, not a technical audit report. However, if the cost of the cybersecurity program is material to the company's financial results, that cost should be addressed in the MD&A section of the 10-K, not merely in the Item 106 section.
Board and Management Governance Disclosures
Item 106 requires separate disclosure of the board's oversight role and management's role in assessing and managing cybersecurity risks. These governance disclosures are among the most practically significant components of the rule because they require companies to articulate their actual governance structure rather than aspirational policies.
For board-level disclosure, Item 106 requires companies to describe whether the full board or a committee has responsibility for overseeing cybersecurity risk, how the board or committee is informed about cybersecurity risks and incidents, and how frequently board-level cybersecurity oversight occurs. Companies with audit committees that have assumed cyber oversight responsibility must describe that responsibility and the process by which the audit committee receives and evaluates cyber risk information from management. Companies whose boards have not formally assigned cyber oversight to a committee must disclose that the full board retains that responsibility and describe the process by which the board is kept informed.
For management-level disclosure, Item 106 requires companies to describe the positions or committees responsible for assessing and managing cybersecurity risks, the expertise of the relevant personnel in cybersecurity (without requiring disclosure of individual names), the processes by which cybersecurity risks are identified and escalated to the board, and how management integrates cybersecurity risk management into the company's overall risk management framework. Companies that have a Chief Information Security Officer must describe that role and its reporting relationship to senior management and the board. Companies that rely on third-party managed security services must explain how those services are supervised and how the company maintains accountability for its cybersecurity posture.
The governance disclosures create potential liability exposure because they represent public commitments about how the company actually manages cybersecurity risk. If a material incident later reveals that the board was not receiving the cybersecurity briefings described in the 10-K, or that the CISO did not have the escalation authority described in the governance section, the gap between disclosed governance and actual governance becomes a securities fraud allegation in addition to a management failure.
Disclosure Working Groups in Active M&A
Public companies involved in active M&A transactions should establish a dedicated disclosure working group to manage the intersection of cybersecurity incident obligations and transaction disclosure obligations. This working group typically includes securities counsel, M&A counsel, the General Counsel, the CISO, the CFO, and representatives from the company's communications and investor relations functions. In a transaction where outside counsel represents the company in both the M&A and the securities disclosure matters, the working group can be organized internally; when separate counsel handles the transaction and the securities matters, the two firms must coordinate carefully to avoid inconsistencies in public disclosure.
The working group's primary function is to manage information flows between the incident response team, which may have access to sensitive technical details about an ongoing incident, and the disclosure team, which needs to evaluate the materiality of that information for SEC filing purposes. Information about a cybersecurity incident that is shared with outside counsel for disclosure purposes is protected by attorney-client privilege, but the disclosure itself, once made, creates a public record that governs subsequent securities law obligations. The working group must be structured to preserve privilege over the analysis while ensuring that the disclosure itself is accurate and complete.
In a pending merger, the disclosure working group must also interface with the transaction team to ensure that any required 8-K filings are coordinated with the merger agreement's notice provisions, any applicable standstill or lockup obligations, and the requirements of the SEC's Regulation M and Rule 10b-5 as they apply to transactions in the company's securities during an active offering period. A material cyber disclosure that coincides with an active marketing period for a merger financing can create technical violations of Regulation M if the coordination between the M&A team and the disclosure team is inadequate.
The working group should also maintain a disclosure log that tracks each cybersecurity incident from detection through materiality determination, the 8-K filing (if any), subsequent 8-K/A amendments, and the ultimate resolution of the incident. This log provides a contemporaneous record of the company's compliance process and is the primary evidentiary document if the SEC or a plaintiff later challenges the adequacy of the company's disclosure timeline.
Treatment of Target Incidents During Diligence
A public company buyer that discovers a material cybersecurity incident at a private acquisition target during diligence does not itself have an immediate 8-K obligation with respect to the target's incident, because the target is not yet a subsidiary of the buyer and the buyer has not itself experienced the incident. However, the buyer must evaluate whether knowledge of the target's incident is material to the buyer's own investors in connection with the pending transaction, and whether that information must be disclosed in the buyer's own periodic reports or in the merger proxy or registration statement.
The analysis is context-specific. If the target is a large acquisition that would materially change the buyer's financial profile, a serious undisclosed cybersecurity incident at the target may be material to the buyer's shareholders because it could affect the value of the acquisition, the buyer's future financial condition after closing, or the likelihood that the merger will be consummated on the agreed terms. In that case, the buyer may need to disclose the target incident in its MD&A or risk factors before the transaction closes, even though the target remains a separate entity.
The buyer should also evaluate the merger agreement's representations and warranties regarding cybersecurity and its material adverse effect provisions. If the target's incident constitutes a breach of its cybersecurity representations, or if the incident is of a severity that could constitute a material adverse effect on the target's business, the buyer may have contractual rights that affect how the transaction proceeds. Those contractual rights, if they could materially affect the transaction, may themselves be material information that affects the buyer's disclosure obligations.
For public company targets involved in pending mergers, the target's own disclosure obligations under Item 1.05 do not pause during the pendency of the transaction. If the target determines that a cyber incident is material, it must file the 8-K within four business days, regardless of whether the merger is pending or whether the buyer has been notified. The merger agreement's pre-closing operating covenants typically require the target to notify the buyer promptly of material events, which should be triggered simultaneously with the target's internal materiality determination process.
Proxy, S-4, and Merger Disclosure Integration
A merger proxy statement or Form S-4 registration statement in a public company merger must include a complete and accurate description of the parties' businesses, risk factors, and financial condition as of the time the document is filed and declared effective. If a material cybersecurity incident occurs at either the buyer or the target after the initial proxy or S-4 filing, the document must be amended to reflect the incident before the shareholder vote is held.
The amendment obligation in the proxy context arises under Exchange Act Section 14(a) and Regulation 14A, which prohibit materially false or misleading proxy solicitation materials. If a material incident occurs after the proxy is filed, the company must file a proxy supplement or amendment disclosing the incident and its impact, even if the company has already filed an 8-K disclosing the same incident. The proxy supplement serves a different function than the 8-K: it presents the updated information in the context of the shareholder vote decision, explains the incident's effect on the transaction and the combined company's prospects, and allows shareholders to evaluate the incident before voting.
In a Form S-4 registration statement, the same logic applies but with the added overlay of Securities Act Section 11 liability. The S-4 must be accurate as of its effective date, and material developments after filing must be addressed in a post-effective amendment under Securities Act Rule 424. If the S-4 is effective and the company later discovers a material cybersecurity incident that occurred before the effective date but was not known at the time, the company must file a post-effective amendment to correct the disclosure and may face Section 11 liability for the original deficiency.
Risk factor disclosure in the proxy and S-4 must address cybersecurity risk in a manner that is specific to the companies involved and consistent with the Item 106 annual disclosures. Generic risk factor language that describes cybersecurity risks in the abstract without tying them to the specific transaction or the combined company's anticipated security posture is unlikely to satisfy SEC staff review and may not adequately put shareholders on notice of the actual risks they face as investors in the combined company.
Non-US Parallel Regimes: NIS2, NYDFS, and UK
Public companies with operations, customers, or regulated entities in non-US jurisdictions face cybersecurity incident notification obligations that may run parallel to, and in some cases conflict with, the SEC's disclosure framework. Managing these overlapping obligations in a timely and consistent manner is one of the most operationally complex aspects of cross-border cybersecurity incident response.
The European Union's Network and Information Security Directive 2 (NIS2), which EU member states were required to transpose into national law by October 2024, imposes incident notification obligations on entities in critical sectors including energy, transport, banking, financial market infrastructure, health, and digital infrastructure. NIS2 requires affected entities to notify their national competent authority of significant incidents within 24 hours of becoming aware of the incident (an "early warning"), with a more detailed notification within 72 hours. This timeline is substantially shorter than the SEC's four-business-day window and runs from awareness of the incident rather than from a materiality determination. Companies with EU operations must coordinate their EU notifications with their SEC disclosure process, taking care not to create inconsistencies between the early warning filed with EU regulators and the disclosure ultimately made in the Form 8-K.
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) applies to financial services companies holding a NYDFS license, including banks, insurance companies, and mortgage servicers. The NYDFS rules require covered entities to notify the NYDFS of cybersecurity events that have a reasonable likelihood of materially harming any material part of the entity's normal operations within 72 hours of determining that the event has occurred. The NYDFS definition of a reportable event is not identical to the SEC's materiality standard, and a company subject to both regimes may face situations where an event triggers the NYDFS notification requirement before the SEC's four-day window begins, or where the NYDFS notification must be made under circumstances where the SEC disclosure would not yet be required.
In the United Kingdom, the Network and Information Systems (NIS) Regulations 2018 impose notification obligations on operators of essential services and relevant digital service providers. Post-Brexit, the UK is developing its own approach to NIS2 equivalence, and companies should monitor regulatory developments. UK-listed companies are also subject to the Financial Conduct Authority's disclosure rules under the Market Abuse Regulation as it applies in the UK (UK MAR), which require disclosure of inside information (including material cybersecurity incidents) without delay. UK MAR's "without delay" standard is generally understood to be stricter than the SEC's four-business-day window, requiring disclosure as soon as the inside information threshold is reached rather than within a defined period after the determination.
Class Action Exposure and PSLRA Safe Harbor
Securities class actions following cybersecurity incidents have become a well-established feature of the post-breach legal landscape for public companies. The typical class action theory alleges that the company made materially false or misleading statements about its cybersecurity practices (in its 10-K Item 106 disclosures, its risk factors, or public statements by management), that the company failed to timely disclose a material incident in violation of Item 1.05, or that the company's post-incident disclosure understated the scope or impact of the breach, causing investors to suffer losses when the true scope of the incident became publicly known.
The Private Securities Litigation Reform Act (PSLRA) provides a safe harbor for forward-looking statements that are accompanied by meaningful cautionary language identifying factors that could cause actual results to differ materially from the forward-looking projection. However, the PSLRA safe harbor does not protect statements of historical fact. An 8-K Item 1.05 disclosure that describes the nature and scope of an incident as it was understood at the time of filing is a statement of present fact, not a forward-looking projection, and is not eligible for PSLRA safe harbor protection. If the described scope of the incident later proves to have been understated because the company knew more than it disclosed, the PSLRA safe harbor is unavailable.
Class action plaintiffs in the cyber context routinely allege that the company's risk factor disclosures regarding cybersecurity were materially misleading because they described cyber risk as a hypothetical future concern when the company was already experiencing (or had recently experienced) a significant incident. The SEC's rules make this type of allegation easier to pursue because the 10-K now requires specific, affirmative disclosure of whether material incidents occurred during the fiscal year. A company that states in its Item 106 disclosure that no material incidents occurred during the fiscal year, but that was in fact managing a significant incident that it had determined was not material, faces the risk that a court will find that the materiality determination was made in bad faith if the incident later proves to have been severe.
Companies should approach both the 8-K and the 10-K cyber disclosures with the class action theory in mind from the outset of drafting. The goal is not to minimize disclosure to reduce competitive sensitivity or management embarrassment, but to provide a disclosure that is accurate, consistent, and complete enough that it cannot later be characterized as understating a known problem. Counsel experienced in both incident response and securities litigation should be involved in reviewing the disclosure before it is filed, not only to satisfy the technical requirements of the SEC rules but to evaluate the disclosure against the litigation risk that follows every significant cyber event at a public company.
Frequently Asked Questions
Is a ransomware attack always a material cybersecurity incident requiring an 8-K filing?
No. Ransomware does not automatically trigger an 8-K filing obligation. The materiality determination under the 2023 SEC rule follows the same standard applied in other securities disclosure contexts: whether there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. A ransomware attack that encrypts a small subset of non-critical data, is contained within hours, and has no meaningful financial or operational impact may not be material. Conversely, a ransomware attack that disrupts production operations for an extended period, exposes sensitive customer or financial data, triggers regulatory notification obligations, or requires significant remediation expenditure is likely to be material. The company must conduct a documented, good-faith materiality analysis that considers qualitative and quantitative factors, including financial impact, reputational harm, regulatory exposure, and third-party liability. The determination cannot be based solely on whether the company paid a ransom or recovered encrypted data.
When does the four-day clock start for a Form 8-K Item 1.05 filing?
The four business day clock starts from the date the company determines that a cybersecurity incident is material, not from the date the incident was discovered or first detected. This distinction is significant: a company may experience a network intrusion on Day 1, discover it on Day 5, begin investigation on Day 6, and not complete its materiality determination until Day 20. The four business day filing clock runs from Day 20. The SEC's adopting release emphasizes that companies should not delay materiality determinations unreasonably, and that a company cannot strategically extend the investigation period to defer the filing clock. Counsel and the disclosure committee should document the timeline of discovery, investigation milestones, and the materiality determination, including the date the determination was formally made, so that the four-day clock is traceable to a specific, defensible decision point rather than appearing to have been manipulated.
What documentation is required to support a national security delay request?
When the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, the SEC may permit a delay beyond the standard four business day period. The process begins with the company notifying the Department of Justice that it believes disclosure may implicate national security concerns. The DOJ then makes a referral to the SEC requesting the delay, specifying the basis for the national security determination and the requested delay period. The company must maintain internal documentation showing the basis for its belief that national security concerns were present, the date of its DOJ notification, and the subsequent communications with DOJ and the SEC. The delay is not self-executing: the company cannot unilaterally delay filing by asserting national security concerns without DOJ involvement. If the DOJ declines to make a referral, the four-day clock runs without modification. Companies in defense, critical infrastructure, and financial services sectors are the most common candidates for national security delay requests.
What is the difference between a 10-Q amendment and a new 8-K for updating prior cyber disclosures?
A Form 8-K Item 1.05 filing is required when a material cybersecurity incident occurs. If material changes to the information previously disclosed in the 8-K occur, the company must file an amendment to the 8-K (an 8-K/A) disclosing those updated facts. This is the mechanism for updating the incident-specific disclosure as the company learns more about the scope, impact, and remediation of the incident. A Form 10-Q, by contrast, is the quarterly report that addresses the company's financial condition and results for the quarter. If a material cybersecurity incident occurred or was ongoing during the relevant quarter, the 10-Q must disclose the incident and its impact on the company's financial statements and operations, even if an 8-K was already filed. The 10-Q and 8-K/A serve different functions and neither substitutes for the other. An 8-K/A addresses specific updates to the original incident disclosure, while the 10-Q provides the comprehensive quarterly view of the incident's effect on the company's financial position and outlook.
When must a buyer publicly disclose a target's cybersecurity incident during an active M&A transaction?
A buyer that is itself a reporting company must consider whether a material cybersecurity incident at the acquisition target requires disclosure in the buyer's own SEC filings, even before the transaction closes. If the buyer learns during diligence of a material incident at the target that, after closing, would have a material effect on the combined company's financial condition or results, that information may need to be disclosed in the buyer's annual or quarterly reports under the requirements of Item 303 (MD&A) or Regulation S-K Item 106, and potentially in the merger proxy or registration statement. The buyer does not file an 8-K for the target's incident before closing because the target remains a separate reporting company. The buyer's disclosure obligation turns on whether the information is material to the buyer's own investors in connection with the pending transaction. After closing, the buyer succeeds to the target's reporting obligations and must evaluate whether the target's incident requires a post-closing 8-K from the combined company.
How does a cybersecurity incident at the target get integrated into the merger proxy or Form S-4?
If a material cybersecurity incident occurs at the acquisition target during the period between signing and closing of a public company merger, the incident must be evaluated for inclusion in the proxy statement or Form S-4 registration statement used to solicit shareholder approval. A material incident may require an amendment to the proxy or S-4 to update the risk factors, the target's business description, and the MD&A. The updated disclosure must address the nature and scope of the incident, the estimated financial impact, the regulatory notifications made, and any effect on the pending transaction, including whether the incident triggered any material adverse effect analysis under the merger agreement. SEC staff will review proxy and S-4 amendments for consistency between the incident disclosure and the financial statements. If the incident occurred before the proxy was originally filed but was not disclosed, the SEC staff may require additional disclosure and explanation of the omission. Counsel should coordinate the incident response and public disclosure timeline with the transaction schedule to avoid creating conflicts between the merger agreement's notification obligations and the SEC's filing deadlines.
How should a company align its incident response playbook with its SEC disclosure obligations?
A company's incident response plan should be designed from the outset with the 8-K filing timeline in mind. The playbook should specify: who is notified when an incident is detected; when outside counsel and the disclosure committee are engaged; what information must be gathered before a materiality determination can be made; who has authority to make the materiality determination; and how the four-day clock is tracked from the determination date. Companies that separate the incident response function from the legal and disclosure function risk allowing technical remediation efforts to proceed without triggering the legal review process in time to meet the filing deadline. The disclosure committee should be convened within 24 to 48 hours of an incident that appears potentially significant, so that the materiality determination can be made promptly if the investigation confirms a serious incident, rather than after a prolonged investigation that leaves insufficient time to prepare and file the 8-K. The playbook should also address the national security notification procedure, third-party notification obligations, and the interface between the SEC disclosure and any state breach notification laws.
Are foreign private issuers subject to the SEC's 2023 cyber disclosure rules?
Foreign private issuers (FPIs) are not subject to Form 8-K Item 1.05 because FPIs do not file Form 8-K. They report material events on Form 6-K, which is a more flexible form that covers furnishing to the SEC information that the FPI has made public, is required to make public under foreign law, or that distributes to its security holders. The SEC has not adopted a specific cyber incident disclosure rule for Form 6-K equivalent to the Item 1.05 four-day trigger, but an FPI that experiences a material cybersecurity incident and makes that information public in its home jurisdiction (for example, under the EU's NIS2 Directive or the UK's network and information systems regulations) would typically furnish that information to the SEC on a Form 6-K. FPIs are also subject to Item 106 of Regulation S-K if they file annual reports on Form 20-F, which incorporates the risk management and governance disclosure requirements that apply to domestic issuers on Form 10-K. FPIs contemplating a U.S. listing or with existing U.S. reporting obligations should map their home-country cyber disclosure obligations against the SEC framework before a material incident occurs.
Related Reading
Counsel for SEC Cyber Disclosure in Public Company M&A
Acquisition Stars advises public company buyers and targets on Form 8-K Item 1.05 compliance, materiality determinations, disclosure working group structure, merger proxy integration, and multi-jurisdictional notification coordination across active M&A transactions. Submit your transaction details for an initial assessment.
Related Practice Areas
Our attorneys handle M&A transactions and securities matters nationwide. Alex Lubyansky leads every engagement personally.