SEC Staff Publishes New Guidance for Handling Cybersecurity Incidents

R. Randall Wang
BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

WHAT HAPPENED

On June 24, 2024, the SEC’s Division of Corporation Finance published five additional interpretations (CDIs) addressing the effect of ransomware payments on the obligation of companies to report material cybersecurity incidents in Item 1.05 8-K filings. These supplement four previous CDIs addressing the effect of consultation with or national security findings by Attorney General.

The new CDIs follow on the heels of:

  • The CorpFin Director’s recent statement regarding selective disclosure and the ability of companies to rely on traditional Regulation FD practices to share information about material incidents with commercial partners.
  • The SEC staff’s guidance for use of Item 1.05 of Form 8-K versus Item 8.01 of Form 8-K, as discussed in our May 29, 2024 post.

TAKEAWAYS

As discussed in our July 27, 2023 post, the SEC’s new Item 1.05 8-K rule took effect late last year for most companies, or this month for smaller reporting companies.

Companies should consult the new guidance whenever evaluating the materiality of cybersecurity incidents and their potential 8-K reporting obligations.

DEEPER DIVE

Effect of ransomware payments.  The new staff guidance address five scenarios involving ransomware payments, generally concluding that such payments do not relieve companies of their obligations to evaluate materiality or make Item 1.05 8-K filings:

Effect of AG consultation. These interpretations supplement the four CDIs the staff published last December regarding the effect of consultation with or national security findings by Attorney General:

Selective disclosure of incidents.  The Director’s statement reminds companies that they can share information about material incidents with commercial partners, such as vendors and customers, or other companies affected by the same risk or threat, using conventional Regulation FD methods. Under FD, sharing is permissible if:

  • The incident is immaterial.
  • The recipient is not a covered person, such as a market professional or security holder.
  • The recipient owes a duty of trust or confidence with the company, such as an attorney, investment banker or accountant.
  • The recipient agrees to keep the information confidential.

The Director expressed concern that “some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident. That is not the case.”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide