The Securities and Exchange Commission (the “SEC”) has issued five compliance and disclosure interpretations related to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. These interpretations are largely focused on ransomware attacks, and are summarized below:
1. The cessation of a cybersecurity incident does not relieve a company of the requirement to determine whether the incident was material and to make any required Form 8-K disclosures.
For example, suppose a company experiences a ransomware attack. After discovering the attack but before making a materiality determination, the company pays the ransom and the cybercriminal ends the disruption or returns the company’s data. Even though the incident has ended, the company is still required to make a materiality determination regarding the incident. The fact that the incident has ended does not necessarily mean it was not material. Companies must still determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information available
2. If a company experiences a cybersecurity incident that it determines to be material, the subsequent cessation of the incident does not relieve the company of the requirement to report the incident under Item 1.05 of Form 8-K.
In a variation of the scenario described in #1, suppose a company experiences a ransomware attack and determines it to be material. Before the company reports the incident pursuant to Item 1.05 of Form 8-K, the company pays the ransom and the cybercriminal ends the disruption or returns the data. In this situation, the company still needs to disclose the incident on Form 8-K.
3. The fact that a company is reimbursed for all or a substantial portion of a ransomware payment under an insurance policy does not necessarily mean the cybersecurity incident was not material.
When assessing the materiality of a cybersecurity incident, companies “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors.” This may require the company to “consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” In this scenario, such consideration may also include an assessment of the subsequent availability of, or increase in cost to the company of, insurance policies that cover cybersecurity incidents.
4. The size of a ransomware payment is not, by itself, determinative as to whether a cybersecurity incident is material.
A small ransomware payment does not necessarily mean that the related cybersecurity incident is immaterial. Payment size is just one of the facts and circumstances that companies should consider in making a materiality determination. The SEC intentionally declined using a quantifiable trigger for the Form 8-K cybersecurity disclosure. For example, it is possible for a cybersecurity incident to result in significant reputational harm to a company even though its quantifiable financial harm is small.
5. A series of immaterial cybersecurity incidents may be disclosable under Item 1.05 of Form 8-K.
In the case of individually immaterial cybersecurity incidents, companies should consider whether any of the incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” includes “a series of related unauthorized occurrences.” This could take the form of small attacks by the same threat actor or a series of attacks by multiple threat actors exploiting the same vulnerability and collectively and materially impeding a company’s business.
