Speaking with CISOs and other C-Level executives of publicly traded companies about the Final 8-K Cybersecurity rule disclosures starting to take effect with files after December 15th, 2023, one of the questions raised is if there are representative examples of how to do the 8k disclosures. Key considerations include explanations on time, nature, and materiality of incident. Remediation details can be omitted but updates are recommended.
Prior to the Final Rule Item 1.05 disclosure on the 8K, several companies were already disclosing significant cyber security incidents/ breaches. Below are some examples of 3 well-known companies OKTA, Clorox, 23andMe and their disclosures.
This can help CISO, CFOs and Financial Reporting personnel obtain an idea of how-to best address disclosures. However, the details of the specific requirements of the 8K disclosure are found on the 8K instructions (https://www.sec.gov/files/form8-k.pdf)
1. OKTA (NASDAQ: OKTA) September- October 2023 breach:
8k Filing issued on November 29th, 2023 as an Item 7.01 FD Regulation Disclosure. Incident between September 28th and October 17, 2023. Reported to customers on October 19th, 2023. (timing of incident addressed in disclosure). Per the Final rule the registrant must File Item 1.05 within 4 business days after determining that the incident is material to the organization. The timeline is tied to the determination rather than the actual discovery of the incident, although determination should be made without unreasonable delay. It most likely would be questionable the lapse in time between the disclosure and when the actual events took place if enforcement of Item 1.05 was in effect.
Lastly, the Final Rule doesn’t require disclosure of remediation steps. However, Okta explained both the nature of the incident and remediation probably to be proactive and mitigate reputation risk.
Materiality considerations have not been addressed by OKTA as of recent.
Links below to disclosures:
https://www.sec.gov/ix?doc=/Archives/edgar/data/1660134/000166013423000065/okta-20231129.htm
2. Clorox (CLX: NYSE) Data Breach- August 2023
Initial 8k filing issued on September 18th, 2023, that on August 14th, 2023, an incident of unauthorized activity took place where Clorox chose to take certain systems offline to contain the issue. Per the Final rule, the registrant must File Item 1.05 within 4 business days after determining that the incident is material to the organization. The timeline is tied to the determination rather than the actual discovery of the incident, although determination should be made without unreasonable delay. It most likely would be questionable the lapse in time between the disclosure and when the actual events took place if enforcement of Item 1.05 was in effect.
Moreover, in the additional filing and press release issued on October 4th, 2023, the company clearly stated the financial impact of the cyber security incident on net sales, gross margin, diluted net earnings per share, and adjusted EPS. Clorox appears to have addressed timing, nature, and materiality implications in its disclosures.
https://www.sec.gov/ix?doc=/Archives/edgar/data/21076/000120677423001133/clx4242401-8k.htm(Initial filing, September 18th, 2023)
https://www.sec.gov/ix?doc=/Archives/edgar/data/21076/000120677423001174/clx4249171-8k.htm (additional reference but not as an amendment on October 4th, 2023)
https://www.sec.gov/Archives/edgar/data/21076/000120677423001174/clx4249171-ex991.htm (link to the press release on amendment).
3. 23andMe (ME: NASDAQ)- Breach in October 2023:
The filing took place on October 10th, 2023, with an amendment shortly after. Details on the amendment include more details about when and how the incident took place (timing and nature), the timing of the incident, and estimated costs of attending to the incident between 1 and 2 million that as stated in the filing could negatively affect financial results. Moreover, the company provides information about the filing of multiple class action suits by states and a nation.
https://www.sec.gov/ix?doc=/Archives/edgar/data/1804591/000119312523253488/d520529d8k.htm (Initial filing on October 10th, 2023)
https://www.sec.gov/ix?doc=/Archives/edgar/data/1804591/000119312523287449/d242666d8ka.htm (amendment)
