Proposed Reporting about Cybersecurity Incidents on Form 8-K

Article Brief 2 of 5 from Clearwater Founder and Executive Chairman, Bob Chaput

In a continuation of Bob Chaput’s blog series on the SEC’s proposed changes and increased reporting requirements, Clearwater’s Founder and Executive Chairman dives deeper into the proposed requirements around “Reporting of Cybersecurity Incidents on Form 8-K.”

In short, Form 8-K is known as the “current report” and is used to announce significant events at a company that investors should know about. The SEC is proposing that public companies be required to disclose the following information about a material cybersecurity incident within 4 days of the incident that triggers the filing:

• When the incident was discovered and whether it is ongoing
• A brief description of the nature and scope of the incident
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
• The effect of the incident on the registrant’s operations, and
• Whether the registrant has remediated or is currently remediating the incident

Why this proposed change?

To address growing concerns about underreporting and untimely reporting of cyber incidents.

If you represent a healthcare organization, this may sound similar to the HIPAA Breach Notification Rule. However, HIPAA allows up to 60 days to report an incident vs. the proposed 4 days from the SEC.

Whether you’re a private, not-for-profit, or a start-up that isn’t affected by the SEC’s proposed changes or a publicly-traded company that is, the important takeaway is that robust incident response is key and a component of several regulations affecting various types of organizations.

Bob recommends executives and boards of directors ask and discuss the following in preparation:

1. What is the current state of your cyber incident response and reporting practices today? Do you have reasonable and appropriate policies, procedures, and forms to ensure documentation and follow-up?
2. Does your organization regularly and consistently conduct tabletop exercises to test your incident response program?
3. Do you include “materiality assessments” in your incident response, and are you prepared to identify “material cybersecurity incidents” according to the SEC’s definitions?
4. Are you currently prepared to evaluate the total mix of information related to a cybersecurity incident, considering all relevant facts and circumstances, including quantitative and qualitative factors, to determine whether the incident is material?
5. Should you start conducting “materiality assessments” today to prepare for these likely reporting requirements? (Yes!)
6. Is there clarity around the roles and responsibilities of C-suite executives and the board?
7. What governance structure should you implement to assess cybersecurity incidents today?

This article highlights some of Bob’s major takeaways, but we recommend you read his full article at bobchaput.com.