You may have heard more about the SEC Form 8-K recently due to changes that went into effect on Dec 16, 2023. From the SEC’s press release:

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

We’ll talk about what this means, who it impacts, and how to meet these new requirements. 

What does the SEC Form 8-K do?

The Form 8-K is an integral part of the regulatory framework that governs publicly traded companies in the United States. Filed with the Securities and Exchange Commission (SEC), it ensures that shareholders and the government are kept informed about significant events within a company; eg mergers and acquisitions, leadership changes, or bankruptcy proceedings. 

For market analysts and investors, these filings serve as indicators of the company’s strategic direction and operational health. 

Who needs to fill out a Form 8-K?

The SEC’s regulations and filing requirements generally apply to publicly traded companies, which are subject to higher levels of scrutiny and regulation due to their impact on public investors. Form 8-K requirements are specific to public companies, though privately held companies may adhere to them if they choose. 

Other types of firms are subject to different disclosure requirements. From the SEC: “The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.”

What do the SEC’s new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure mean?

With the requirement to disclose material cybersecurity incidents, there are now more reasons why a company may file a form 8-K.

What Triggers an 8-K Filing?

Form 8-K, serves as a critical instrument for publicly traded companies to report various significant events. Form 8-K covers a range of events, some of which are mandatory to report, while others are at the company’s discretion if deemed significant. These events include:

1. Financial Statements and Exhibits: This includes any changes or updates to a company’s financial situation.
2. Bankruptcy: If a company files for bankruptcy, it’s imperative to report this through an 8-K.
3. Corporate Governance Changes: This covers amendments to articles of incorporation or bylaws, changes in control, election or departure of directors and senior officers, and changes in the company’s certifying accountant.
4. Business Operations: These include the completion of acquisition or disposition of assets, results of operations, and Regulation FD disclosure.
5. Equity Changes: Any unregistered sales of equity securities must be reported.
6. Other Noteworthy Events: This might include entry into or termination of a material definitive agreement or any event that the company considers important for stakeholders to know.

 Here’s a more detailed look at Section 1 of Form 8-K, which focuses on the registrant’s business and operations:

• Item 1.01 – Entry into a Material Definitive Agreement: This item requires companies to report when they enter into an agreement that is significant to their operations. These agreements can include a wide range of contracts, such as mergers, acquisitions, joint ventures, or other major business agreements that are essential to the company’s operations and financial health.
• Item 1.02 – Termination of a Material Definitive Agreement: Similarly, if any previously reported material definitive agreement is terminated, this needs to be disclosed under this item. The termination of such an agreement could have a significant impact on the company’s operations or financial condition.
• Item 1.03 – Bankruptcy or Receivership: This item is crucial for disclosing when a company files for bankruptcy or enters receivership. Such events are significant as they can indicate severe financial distress and potential changes in ownership or control of the company.
• Item 1.04 – Mine Safety – Reporting of Shutdowns and Patterns of Violations: Specific to companies involved in mining operations, this item requires the disclosure of any mine shutdowns and patterns of health or safety violations. This is critical information for stakeholders, given the potential impact on operations and the company’s commitment to safety standards.
• Item 1.05 – Material Cybersecurity Incidents: This is a newly added item, requiring companies to disclose material cybersecurity incidents. Given the increasing significance of digital security, this item mandates reporting significant cybersecurity events that could affect the company’s operations, financial condition, or reputation.

The inclusion of material cybersecurity incidents in Form 8-K reflects the growing importance of digital security in corporate governance and risk management.

Timeliness and Transparency

One of the critical aspects of the 8-K is its requirement for timeliness. Companies must file an 8-K within four business days of the material event, ensuring that stakeholders receive current and relevant information. This prompt disclosure is crucial for maintaining transparency and trust among investors and the market .

Impact and Implications

Beyond compliance, the 8-K provides valuable insights for various stakeholders:

• For Investors: It offers timely information about material events that could impact share prices.
• For Researchers: These filings are a rich source of data for economic research, offering a window into the impact of corporate events on stock prices.
• For the Companies: While filing 8-Ks imposes certain costs on businesses, it helps them meet disclosure requirements efficiently and avoid allegations like insider trading. However, the requirement to file 8-Ks can also deter smaller companies from going public due to the perceived burden of regulatory compliance.

This post is from guest contributor Frank Kyazze, Founder of GRC Knight. 

The post Everything you need to know about the SEC Form 8-K first appeared on TrustCloud.

*** This is a Security Bloggers Network syndicated blog from TrustCloud authored by Frank Kyazze. Read the original post at: https://www.trustcloud.ai/risk-management/everything-you-need-to-know-about-the-sec-form-8-k/