Select Page

Proposed Reporting about Cybersecurity Incidents on Form 8-K

Article Brief 2 of 5 from Clearwater Founder and Executive Chairman, Bob Chaput

In a continuation of Bob Chaput’s blog series on the SEC’s proposed changes and increased reporting requirements, Clearwater’s Founder and Executive Chairman dives deeper into the proposed requirements around “Reporting of Cybersecurity Incidents on Form 8-K.”

In short, Form 8-K is known as the “current report” and is used to announce significant events at a company that investors should know about. The SEC is proposing that public companies be required to disclose the following information about a material cybersecurity incident within 4 days of the incident that triggers the filing:

  • When the incident was discovered and whether it is ongoing
  • A brief description of the nature and scope of the incident
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
  • The effect of the incident on the registrant’s operations, and
  • Whether the registrant has remediated or is currently remediating the incident

Why this proposed change?

To address growing concerns about underreporting and untimely reporting of cyber incidents.

If you represent a healthcare organization, this may sound similar to the HIPAA Breach Notification Rule. However, HIPAA allows up to 60 days to report an incident vs. the proposed 4 days from the SEC.

Whether you’re a private, not-for-profit, or a start-up that isn’t affected by the SEC’s proposed changes or a publicly-traded company that is, the important takeaway is that robust incident response is key and a component of several regulations affecting various types of organizations.

Bob recommends executives and boards of directors ask and discuss the following in preparation:

  1. What is the current state of your cyber incident response and reporting practices today? Do you have reasonable and appropriate policies, procedures, and forms to ensure documentation and follow-up?
  2. Does your organization regularly and consistently conduct tabletop exercises to test your incident response program?
  3. Do you include “materiality assessments” in your incident response, and are you prepared to identify “material cybersecurity incidents” according to the SEC’s definitions?
  4. Are you currently prepared to evaluate the total mix of information related to a cybersecurity incident, considering all relevant facts and circumstances, including quantitative and qualitative factors, to determine whether the incident is material?
  5. Should you start conducting “materiality assessments” today to prepare for these likely reporting requirements? (Yes!)
  6. Is there clarity around the roles and responsibilities of C-suite executives and the board?
  7. What governance structure should you implement to assess cybersecurity incidents today?

This article highlights some of Bob’s major takeaways, but we recommend you read his full article at bobchaput.com.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time. As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?
Assumed Breach Simulation: Lateral Movement

Assumed Breach Simulation: Lateral Movement

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
No results found.