by Keith McCammon

In 2023, the Securities and Exchange Commission (SEC) published rule 33-11216 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, where the operative requirement is that companies disclose material cybersecurity incidents. The summary disclosure requirement is as follows:

Form 8-K Item 1.05 - Material Cybersecurity Incidents

Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

  • Nature, scope, and timing; and
  • Impact or reasonably likely impact.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

How to find or subscribe to SEC cybersecurity incident disclosures

In theory, looking for Form 8-K that contains Item 1.05 should be sufficient. However, there are a number of disclosures that contain other Item types and references. For instance, this Okta filing simply references both their standard quarterly earnings press release and a blog post, both published on the same date, disclosing a security incident.

Here are a few ways to find and/or subscribe to relevant filings using SEC-provided tools.

Historical EDGAR Header Search (deprecated, but available as of 2024-05)

These results will be more accurate for initial disclosures and substantive updates that explicitly contain “ITEM 1.05 MATERIAL CYBERSECURITY INCIDENTS”.

Search for initial disclosures

RSS feed of initial disclosures

By way of example, the RSS feed returned by the Historical EDGAR Header Search will give Feedly users a neat and tidy list of disclosures that looks like this:

alt

EDGAR Full Text Search

These results will be more expansive, and are more likely to surface the many disclosures related to cybersecurity incidents that do not contain the material incidents item. For example, a company may have experienced an incident and decided to disclose it, but it is not material because they expect no impact to shareholder value.

Search for initial disclosures

Search for all 8-K filings that mention “cybersecurity incident”

Other approaches

  • SECurityTr8Ker - “SECurityTr8Ker is a Python script designed to monitor the U.S. Securities and Exchange Commission’s (SEC) RSS feed for new 8-K filings that contain material related to cybersecurity incidents. This script is tailored for cybersecurity analysts, financial professionals, and researchers interested in real-time alerts of potential cybersecurity incidents disclosed by publicly traded companies.”
  • Follow @SECurityTr8Ker - A Twitter feed powered by the above open source project.

Notes and edge cases

  • This Orion 8-K filing, which discloses “multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties” to the tune of $60M, would not be identified via the above. While these types of frauds are often associated with cybersecurity incidents (e.g., business email compromise, or BEC), they can and do happen independent of cyber-related vectors.

Categories:

Updated:

You May Also Enjoy

A simple framework for talking to leadership about a cybersecurity program, particularly for an inbound security leader looking to level-set:

Where do your incidents come from?