On June 24, 2024, the Division of Corporation Finance (“Corp Fin”) of the Securities and Exchange Commission (“SEC”) issued five new Compliance and Disclosure Interpretations (“C&DIs”) related to the disclosure of “material” cybersecurity incidents in Item 1.05 of Form 8-Ks. The C&DIs present hypothetical fact patterns related to ransomware attacks and insurance reimbursement for damages related to cybersecurity incidents. Key takeaways include:
- Companies are required to make a materiality determination following a completed ransomware attack. Even if the ransomware payment was made and the disruption of the operations by the threat actor was resolved prior to a materiality determination, companies are still required to determine whether that incident is material. (Q&A 104B.05).
- Companies must still disclose a material completed ransomware attack or other cybersecurity incident. If an incident is determined to be material, the incident must be reported under Item 1.05 of Form 8-K within four business days, even if the cessation or apparent cessation of the incident occurs before the company reports the incident or files a Form 8-K. (Q&A 104B.06).
- Insurance reimbursement for ransomware payment does not absolve materiality determination. Reimbursement for a ransomware payment under a company’s insurance policy does not necessarily mean that the incident has been rendered immaterial. The company must consider the relevant facts and circumstances, such as immediate and long-term effects on the company’s finances, operations, customer relationships, and more, when making a materiality determination. (Q&A 104B.07).
- The amount of ransomware payment does not, standing alone, determine whether a cybersecurity incident is material. The size of the ransomware payment is not determinative as to whether the cybersecurity incident is material. The ransomware payment is one of various factors that a company should consider when making a materiality determination. (Q&A 104B.08).
- A series of related immaterial cybersecurity incidents could be considered material. If a company experiences a series of cybersecurity incidents that are individually determined to be immaterial, the company should consider whether these incidents are related, and if so, determine whether these incidents, collectively, are material. Based on the examples provided by the SEC, cybersecurity incidents may be considered related if they involve the same threat actor engaging in smaller, continuous cyberattacks against the same company or multiple threat actors exploiting the same vulnerability and collectively interfering with the company’s business operations. (Q&A 104B.09).
These C&DIs follow a recent Corp Fin statement issued on June 20, 2024 to correct a purported misunderstanding by issuers that the SEC’s cybersecurity disclosure rules prohibit companies from discussing material cybersecurity incidents with their commercial counterparties, such as vendors and customers. Building upon the May 22, 2024 Corp Fin statement, this statement clarifies that Regulation Fair Disclosure (“Reg FD”), which requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, applies to cybersecurity incidents the same way it applies to all other information. The statement clarifies that, beyond the requirements of Reg FD, the rules do not prohibit a company from privately discussing a material cybersecurity incident with other parties or from providing nonpublic information about the incident to such parties.
The statement also emphasizes that the private disclosure of additional information regarding a material cybersecurity incident beyond what was included in an Item 1.05 Form 8-K may not implicate Reg FD. For instance, the SEC notes that the information shared about the material cybersecurity may itself be immaterial, or the recipients of the information may not be the types of parties covered by Reg FD.