As part of its continuing efforts to clarify the application of the SEC’s rules regarding the disclosure of material cybersecurity incidents,[1] on June 24, 2024, the Division of Corporation (Corp Fin) issued five new Compliance and Disclosure Interpretations (CDIs). All five of the CDIs focus on the materiality determination required under Item 1.05 of Form 8-K and are summarized below. The full text of the CDIs is set forth at the end of this post.
Question 140B.05
CDI 140B.05 addresses disclosure obligations in circumstances where the cessation or apparent cessation of a cybersecurity incident occurs prior to a company’s materiality determination regarding the incident. The CDI makes clear that the cessation of an incident will not relieve the company of the requirement under Item 1.05 of Form 8-K to make a materiality determination. For example, if a company experiences a ransomware attack, makes a ransomware payment to the threat actor, and the threat actor ceases the disruption of operations or returns the data, as applicable, prior to the company making a materiality determination, the company must still make the materiality determination. In addressing the required materiality determination, the CDI states that “the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should … determine ‘if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,’ notwithstanding the fact that the incident may have already been resolved.”
Question 140B.06
CDI 140B.06 addresses disclosure obligations where the cessation or apparent cessation of a cybersecurity incident occurs after a company determines the incident to be material, but before the company files an Item 1.05 Form 8-K. The CDI provides a similar example as set forth in CDI 140B.05 of a ransomware attack where the company pays the threat actor and the threat actor ceases the disruption of operations or returns the data, as applicable; however, in this example, the company had already determined that the incident was material. The CDI states that “the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K” within four business days of the company’s materiality determination.
Question 140B.07
CDI 140B.07 highlights the need to consider qualitative and quantitative factors when assessing the materiality of a cybersecurity incident. In the example provided in the CDI, if a company experiences a ransomware attack, pays the threat actor, and is reimbursed in full or substantially in full through the company’s insurance policy, a company could not necessarily determine the incident is not material as a result of such reimbursement. The CDI notes that when assessing materiality, companies should take into consideration both quantitative and qualitative factors, including, for example “the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on[.]” Under the circumstances set forth in this CDI, another factor that the company may consider is “an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents.”
Question 140B.08
The size of a ransomware payment, by itself, is not determinative of whether the cybersecurity incident is material and is only one of the factors – both quantitative and qualitative – to be considered in the materiality assessment. The CDI states that “the Commission declined ‘to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.’”
Question 140B.09
The definition of “cybersecurity incident” for purposes of Item 1.05 of Form 8-K includes “a series of related unauthorized occurrences.” A company may experience a series of cybersecurity incidents over time, each of which it determines, individually, to be immaterial. This CDI notes that the company should consider whether these incidents are related and, if so, whether the related incidents, collectively, are material. If those related incidents, collectively, are material, then they would be required to be disclosed under Item 1.05 of Form 8-K. The CDI includes two examples (the first of which is from the adopting release) of when a series of related unauthorized incidents will trigger disclosure under Item 1.05: “the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.”
Full Text of CDIs
Question 104B.05
Question: A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?
Answer: Yes. Item 1.05 of Form 8-K requires a registrant that experiences a cybersecurity incident to determine whether that incident is material. The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.
Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted). [June 24, 2024]
Question 104B.06
Question: A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?
Answer: Yes. Because the registrant experienced a cybersecurity incident that it determined to be material, the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. [June 24, 2024]
Question 104B.07
Question: A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?
Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and is reiterated in Question 104B.05. Further, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]. Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. [June 24, 2024]
Question 104B.08
Question: A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?
Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and reiterated in Question 104B.05. Under that standard, the size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination regarding the cybersecurity incident. Further, in the adopting release for Item 1.05 of Form 8-K, the Commission declined “to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.”
Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05. As the Commission further stated in Item 1.05’s adopting release:
The material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)]. [June 24, 2024]
Question 104B.09
Question: A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?
Answer: Disclosure of those cybersecurity incidents may, depending on the particular facts and circumstances, be required pursuant to Item 1.05 of Form 8-K. In these circumstances, the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” under Item 106(a) of Regulation S-K (which, as noted in Instruction 3 to Item 1.05, is the definition that applies to Item 1.05 of Form 8-K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:
When a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)]. [June 24, 2024]
[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) (adopting release).
