An Update on the SEC’s Cybersecurity Reporting Rules

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

Six companies have now made Item 1.05 Form 8-K filings. Three of these companies also have amended their first Form 8-K filings to provide additional detail regarding subsequent events. The remainder of the filings seem self-contained such that no amendment is necessary, but these companies may amend at a later date. In general, the descriptions of the cybersecurity incidents have been written at a high level and track the requirements of the new rules without much elaboration. It is interesting, but perhaps coincidental, that the filings seem limited to two broad industry groups: technology and financial services. In particular, two of the companies are bank holding companies.

Although several companies have now made reports under the new rules, the sample space may still be too small to draw any firm conclusions or decree what is “market.” That said, several of the companies that have filed an 8-K under Item 1.05 have described incidents and circumstances that do not seem to be financially material to the particular companies. We are aware of companies that have made materiality determinations in the past on the basis of non-financial qualitative factors when impacts of a cyber incident are otherwise quantitatively immaterial, but these situations are more the exception than the rule.

There is also a great deal of variability among the forward-looking statement disclaimers that the companies have included in the filings in terms of specificity and detail. Such a disclaimer is not required in a Form 8-K, but every company to file under Item 1.05 to date has included one. We believe this practice will continue.

Since the effectiveness of the new rules, a handful of companies have filed Form 8-K filings to describe cybersecurity incidents under Item 8.01 (“Other Events”) instead of Item 1.05. These filings have approximated the detail of what is required under Item 1.05. It is not immediately evident why these companies chose Item 8.01, but presumably the companies determined that the events were immaterial such that no filing under Item 1.05 was necessary at the time of filing. Of course, the SEC filing is one piece of a much larger puzzle when a company is working through a cyber incident and related remediation. It remains to be seen how widespread this practice will become. To date, the SEC staff has not publicly released any comment letters critiquing any Form 8-K cyber filing under the new rules, but it is still early in the process. The SEC staff usually (but not always) makes its comment letters and company responses to those comment letters public on the SEC’s EDGAR website no sooner than 20 business days after it has completed its review. With many public companies now also making the new Form 10-K disclosure on cybersecurity, we anticipate the staff will be active in providing guidance and commentary on cybersecurity disclosures in the coming year.

2024: The Year of the Spot Bitcoin ETP

The US Securities and Exchange Commission (SEC) is making 2024 a significant year for exchange-traded products (ETPs) by declaring effective the registration statements of ten Bitcoin ETPs, and approving their listing on one of the major stock exchanges. This is a monumental step to bringing access to Bitcoin to a broader retail market in the US For over a decade, the staff of the SEC (Staff) had denied or otherwise blocked applications to list spot Bitcoin ETPs, claiming, in part, that there were insufficient protections against market manipulation in the underlying Bitcoin market. The approvals issued this week unlock – although do not widely open – a previously dead bolted door to registered products offering direct exposure to Bitcoin, providing an opportunity for retail investors to have easier access to exposure to Bitcoin in a regulated product.

The approvals follow the US federal appeals court ruling in August 2023 that the SEC was “arbitrary and capricious” in its decision to reject an application by the NYSE Arca to list shares of the Grayscale Bitcoin Trust. In granting the approvals, Chair Gensler acknowledged that the law had changed following the Grayscale decision stating “we are now faced with a new set of filings similar to those we have disapproved in the past. Circumstances, however, have changed.” Rather than appeal the court ruling, the staff of the SEC chose to engage with the sponsors of proposed spot Bitcoin ETPs to discuss parameters necessary for approval, including the inclusion of additional disclosure and other requirements to provide for investor protection. In approving the listing of the ETPs, the SEC relied, in part, on its confirmation that the “CME bitcoin futures market has been consistently highly correlated with this subset [(Coinbase and Kraken)] of the spot [B]itcoin market throughout the past 2.5 years,”1 a fact which was heavily leaned upon in the Grayscale decision. Among the requirements insisted upon by the Staff were requirements that the ETPs effect sales and redemptions of ETP creation units solely in cash (rather than in-kind) and hardcoding of key service providers (including Bitcoin custodians) into the listing rule. The SEC’s approved all listing rule applications simultaneously, in an effort to prevent a single ETP from having a first mover advantage.

While this initial round of approvals is promising for the ETP and cryptocurrency industries, it does not signal a general acceptance of all spot cryptocurrency ETPs. Rather, the SEC granted approval only to ETPs investing in Bitcoin, and it is unclear whether it will be receptive to products investing in other crypto assets. Chair Gensler’s statement in announcing the approvals indicated that he and the staff remain skeptical of digital assets generally, including Bitcoin, stating that the approval is not an endorsement of Bitcoin and that investors should remain cautious and aware of the risks. Issuers wishing to offer similar products with other digital asset investments may now have examples to follow, but will still need to undergo a comprehensive review process, and ultimate approval is not guaranteed. Moreover, future exchange-traded products seeking to directly invest other cryptocurrencies or digital assets may have to satisfy a correlation test similar to that which was relied on by the SEC in approving the current products and may not be able to do so.


1 SEC Release, Order Granting Accelerated Approval of Proposed Rule Changes, as Modified by Amendments Thereto, to List and Trade Bitcoin-Based Commodity-Based Trust Shares and Trust Units, No. 34-99306 (10 January 2024).