Enter to open, tab to navigate, enter to select
When Is a Form 8-K Necessary?
Practical Law Legal Update 7-556-0525 (Approx. 3 pages)
When Is a Form 8-K Necessary?
by Practical Law Corporate & Securities
| Published on 06 Feb 2014 • USA (National/Federal) |
An overview of Practical Law resources that can assist companies and their counsel in evaluating when filing a Form 8-K report is necessary or advisable.
In December 2013, Target Corporation announced that personal data had been stolen from up to 40 million customers that had used a credit or debit card at Target's stores in the past month. In January 2014, Target announced that the breach was larger than first thought and extended to over 70 million customers. Target has notified the affected customers. Target has also disclosed this information in press releases that were broadly disseminated and also posted on its website. In addition, Target is cooperating in investigations with the Secret Service, the Department of Justice and the attorneys general for states where affected customers reside.
However, Target has not filed any of this information in a Form 8-K report with the SEC. More recently, other reporting companies, such as Neiman Marcus and Michael's Stores, have issued press releases disclosing potential data security breaches without filing Form 8-K reports.
Should a company suffering a cyber attack file a Form 8-K? No single correct answer exists. A company is not required to file a Form 8-K solely to report an actual or potential cybersecurity breach. However, a company can voluntarily disclose any information under Item 8.01 of Form 8-K that is not otherwise required to be reported but which it believes its securityholders would find important. Some companies that have experienced a security breach, such as TJX Companies, Heartland Payment, EMC and Google, have opted to file a Form 8-K report disclosing this information. Other companies, such as NASDAQ, Citigroup and Amazon, have not. In addition, other circumstances could impact a company's obligation to disclose a cyber attack. For example, Morningstar reported information regarding its security breach under Item 7.01 of Form 8-K to comply with Regulation FD because it had disclosed this information to certain investors.
With these events in mind, Practical Law is featuring a number of resources to assist companies and their counsel in evaluating when filing a Form 8-K report is necessary or advisable:
- Practice Note, Form 8-K reviews the requirements of Form 8-K. In particular, this Note:
- summarizes what types of events would trigger the need to file a Form 8-K and describes the information required to be included in the report;
- discusses how to prepare a Form 8-K and raises considerations of steps to take before the report is filed;
- describes how and when to file a Form 8-K with the SEC and the securities exchanges and how to amend the report; and
- reviews the impact of a failure to file a Form 8-K report, including antifraud liability and inability to use other forms of registration.
- some common events and transactions that are considered reportable events under Form 8-K and trigger the need to file a Form 8-K; and
- the items of Form 8-K under which these events and transactions must be disclosed.
This Chart is not a comprehensive list of all possible events and transactions, but merely a guide to assist attorneys in keeping their clients up to date.- Standard Document, Memorandum: Internal Reporting Procedures for Material Events Potentially Triggering Form 8-K Filings is a form of memorandum to be delivered to management and other relevant employees of a public company that:
- summarizes the numbered disclosure items for which the company may need to file a Form 8-K; and
- describes the types of corporate and other events that may trigger a reporting requirement.
This memorandum is designed to educate management and employees about the company's Form 8-K reporting requirements and establish internal reporting obligations to strengthen the company's disclosure controls and procedures.
For companies that are facing similar cybersecurity issues, Practical Law also recommends Standard Clause, Sample Risk Factor: Cyber Security. This resource:
- Discusses cybersecurity disclosure guidance issued by the SEC in 2011 and offers a form of risk factor relating to cybersecurity that may be inserted into a public company's annual and periodic reports, registration statements or private placement offering documents.
- Provides sample language describing risks arising from information security, including the impact of a potential or actual material network breach and steps taken to reduce risk exposure.