The SEC’s Division of Corporation Finance yesterday published five new Compliance and Disclosure Interpretations, or “C&DIs,” all concerning Item 1.05 of Exchange Act Form 8-K, Disclosure of Cybersecurity Incidents.
New C&DI 104B.05 describes a ransomware attack on a public company ended by a payment to the threat actor before any materiality evaluation of the incident. The C&DI holds that, despite the end of the attack, the company must still make a materiality determination for the event. The interpretation necessarily implies that a report on Form 8-K would be required in the event that the incident was found to be material on general securities law principles.
Question 104B.06 describes a material cybersecurity incident that is ended or remediated by a ransom payment before the filing of a report on 8-K. The interpretation holds that a current report is still required.
Insurance covering all or a substantial part of a ransomware payment may not mean that that an associated cybersecurity incident must have been immaterial in the view expressed in Question 104B.07.
In the SEC staff’s perspective, the size of a ransomware payment is only one factor to consider in the materiality assessment of a cybersecurity incident. Thus, under Question 104B.08, a small ransomware payment would not categorically mean that the related incident was immaterial.
In Question 104B.09, a public company experiences a series of individually immaterial cybersecurity incidents. In the described circumstances, the company must determine whether any incidents were related and, if so, assess whether the related events were cumulatively material.
See the C&DIs here.
[View source.]
