Debevoise’s Data Strategy and Security group recently assisted five leading financial services industry trade associations in preparing a joint rulemaking petition in response to the Securities and Exchange Commission’s (“SEC”) cybersecurity disclosure rule. The rule was adopted in July 2023 to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents.
Debevoise worked with the American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America and Institute of International Bankers to call for the rescission of Form 8-K Item 1.05 and corresponding Form 6-K requirements. The industry’s position is that proposed rescission would restore a more balanced, principles-based cybersecurity disclosure regime that provides more meaningful, decision-useful information to investors without imposing undue burdens or creating new risks for public companies.
In particular, the petition highlights the following pitfalls of Item 1.05:
- Exposes victims to further harm. Item 1.05’s four business day disclosure requirement for material cybersecurity incidents often forces premature disclosure when investigation and remediation efforts remain ongoing, undermining information quality while heightening the risk of additional attacks.
- Complex and resource-straining delay mechanism. The narrow exception permitting delayed disclosure requires the diversion of critical company and law enforcement resources to rapidly assess preliminary—and likely incomplete—information for case-by-case determinations.
- Persistent market confusion. Companies have struggled to navigate the boundary between mandatory and voluntary disclosure of cybersecurity incidents, leading to uncertainty and signal dilution. Such confusion has persisted despite the SEC’s repeated attempts to clarify Item 1.05 through Compliance & Disclosure Interpretations, public statements and comment letters.
- Chilling effect on internal communications and information sharing. Risks relating to disclosure compliance, securities laws liability and Regulation FD may cause legal departments and incident response teams to curtail internal correspondence and external information sharing.
- Weaponization by cyber criminals. Item 1.05 has been leveraged and weaponized by hackers as an extortion tool to further their malicious objectives, exacerbating the financial and operational damage to victim companies and undermining the purpose of the disclosure rule.
For more information about the cybersecurity disclosure rule, please reference this Debevoise Data Blog post for an overview, this post for SEC guidance on Item 1.05 and the Debevoise Cybersecurity Incident Disclosure Tracker for a list of Form 8-K filings under Item 1.05.
The authors would like to thank Debevoise Summer Associate Kanyinsola Oye for her work on this Debevoise Data Blog.
To subscribe to our Data Blog, please click here.
