By George Wilson
As we discussed in this blog post, one of the challenges in the SEC’s July 2023 cybersecurity disclosure rules is determining when an Item 1.05 Form 8-K to disclose a material cybersecurity incident will be required. The Instructions for the 1.05 Form 8-K state:
Item 1.05 Material Cybersecurity Incidents.
(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
The instructions also state:
A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
On December 18, 2023, V.F. Corporation, a marketer of “Active-Lifestyle Brands,” filed an Item 1.05 Form 8-K. After a description of the cybersecurity breach and its impact on the company’s operations, the Form 8-K includes this language about materiality:
As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
As always, your thoughts and comments are welcome!