Direct link to the 8-K Incident Handling Checklist
The Securities and Exchange Commission (SEC) recently implemented a new mandate requiring public companies to disclose material cybersecurity incidents through Form 8-K, Item 1.05. This new regulation is a significant step towards increased transparency and investor protection, and the objective of this checklist is to provide a consistent path for public companies to shape their 8-K disclosures. In the past, there was no standardized approach to disclosing cybersecurity incidents, making it difficult for investors to assess a company’s cybersecurity risk posture and the potential impact of an attack. The SEC’s mandate ensures that investors have access to current, consistent, and beneficial information regarding a company’s cybersecurity practices and any material incidents they experience.
Understanding 8-K Item 1.05 Disclosure Requirements
Item 1.05 mandates disclosure of material cybersecurity incidents within four business days after the registrant determines that the incident is material. This means companies are obligated to report incidents that have a significant impact on their financial health or operations. Additionally, companies are required not to delay their materiality determination regarding a cybersecurity incident upon its discovery. The disclosure itself should focus on the: The nature, scope, and timing of the incident, focusing on material aspects; and The material impact, or potential for material impact, on the company’s financial condition and operations.
Streamlined Incident Handling with our 8-K Checklist
To navigate these complex disclosure requirements and ensure effective incident response, we’re excited to announce the availability of our new 8-K Incident Handling Checklist. This is the first incident response resource provided by board-cybersecurity.com and is intended to serve as a common approach to aligning your incident response process with SEC requirements. The checklist is aligned with the NIST Risk Management Framework (RMF) and NIST Computer Security Incident Handling Guide, equips you with a structured approach to incident response.
Frameworks for Risk Management
When it comes to cybersecurity frameworks, both NIST CSF and NIST RMF offer valuable guidance. NIST CSF provides a voluntary, flexible framework with recommended security controls for organizations of all sizes. NIST RMF, on the other hand, is a mandatory process specifically designed for federal agencies to manage cybersecurity risks. It enforces a more structured approach with formal approval requirements. For our purposes the choice is primarily driven by the need to comply with US DOJ delay guidance on material cybersecurity incident delay determinations. Utilizing NIST RMF ensures we operate with a common language aligned with federal regulations and oversight structures.
Key Benefits of the 8-K Incident Handling Checklist
- Focused on Materiality: It guides users in assessing the materiality of an incident, aiding in determining disclosure obligations according to Item 1.05.
- Qualitative and Quantitative Guidance: The checklist focuses assessment on not just on the bottom line, but also on the various stakeholders who have a vested interest in your company.
- Aligned with Industry Standards: The checklist leverages recognized frameworks like NIST RMF and NIST Incident Handling Guide, promoting a standardized and effective approach.
Additional Resources
For further information on cybersecurity incident response and disclosure, we recommend exploring the following resources:
Risk Guidance:
SEC Guidance:
- SEC Announcement
- Fact Sheet
- Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
- Final Rule: Federal Register Version
- SEC Form 8K Form
DOJ Guidance:
- SEC Disclosure Announcement
- FBI Delay Guidance
- Department of Justice Material Cybersecurity Incident Delay DeterminationsCompliance and Disclosure Interpretations
Page last updated on April 6, 2024