On June 24, 2024, the SEC issued five new Compliance & Disclosure Interpretations (C&DIs) relating to the materiality assessment and disclosure requirements of material cybersecurity incidents under Item 1.05 of Form 8-K.
As discussed in a previous Viewpoints advisory in July 2023, the SEC adopted new rules concerning cybersecurity risk management, strategy, governance, and incident disclosure, including current reporting of certain material cybersecurity incidents under the newly created Item 1.05 of Form 8-K.
These new C&DIs supplement four prior C&DIs published by the SEC in December 2023 and follow statements issued by Erik Gerding, Director of the SEC’s Division of Corporation Finance, in May 2024 (See our earlier Viewpoints advisory) and provide interpretative guidance on situations involving ransomware attacks. Under the new C&DIs (which can be read in full here):
- A registrant is required to make a materiality determination regarding a ransomware attack resulting in a disruption in operations or the exfiltration of data even if, before determining whether the incident is material, the registrant makes a ransomware payment and the incident ends or data is returned. In assessing the materiality of the incident, the registrant should determine “if there is a substantial likelihood that a reasonable shareholder would consider the incident important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have ended. Question 104B.05
- A registrant needs to disclose a ransomware attack that results in a disruption in operations or the exfiltration of data that the registrant has determined to be material even if the registrant makes a ransomware payment and the incident ends, or data is returned before the Item 1.05 Form 8-K filing deadline. Question 104B.06
- A cybersecurity incident involving a ransomware attack for which the registrant makes a ransomware payment that is covered by insurance may still be material. In assessing the materiality of the incident, the registrant “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors,” including, for example, “consider[ing] both the immediate fallout and any longer-term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis[,]” which may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. Question 104B.07
- The size of the ransomware payment with respect to a cybersecurity incident involving a ransomware attack, by itself, is not determinative as to whether the cybersecurity incident is material, but is only one of the facts and circumstances that a registrant should consider in making its materiality determination. Question 104B.08
- Disclosure of a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors, that the registrant determines are each immaterial individually may be required. In these circumstances, the registrant should consider whether any of those incidents were related and, if so, determine whether those related incidents, collectively, were material. Related incidents could come from the same bad actor or from multiple bad actors exploiting the same vulnerability. Question 104B.09