1 minute read

In 2023, the Securities and Exchange Commission (SEC) published rule 33-11216 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, where the operative requirement is that companies disclose material cybersecurity incidents. The summary disclosure requirement is as follows:

Form 8-K Item 1.05 - Material Cybersecurity Incidents

Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

  • Nature, scope, and timing; and
  • Impact or reasonably likely impact.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

How to find or subscribe to SEC cybersecurity incident disclosures

In theory, looking for Form 8-K that contains Item 1.05 should be sufficient. However, there are a number of disclosures that contain other Item types and references. For instance, this Okta filing simply references both their standard quarterly earnings press release and a blog post, both published on the same date, disclosing a security incident.

Here are a few ways to find and/or subscribe to relevant filings using SEC-provided tools.

Historical EDGAR Header Search (deprecated, but available as of 2024-05)

Search for initial disclosures

RSS feed of initial disclosures

EDGAR Full Text Search

Search for initial disclosures

Search for all 8-K filings related to cybersecurity incidents