As discussed in our previous client alert, on December 18, 2023, new rules went into effect requiring companies to report material cybersecurity incidents on Form 8-K within four business days of the company's determination that the cybersecurity incident is material. In the last several weeks the staff of the Division of Corporation Finance (the “Staff") of the Securities and Exchange Commission (the “SEC") has provided guidance regarding incident reporting in the form of a May 21 statement and a June 20 announcement from the Division of Corporation Finance Director Erik Gerding and, most recently, more formal Compliance and Disclosure Interpretations (“C&DIs") on June 24.
Recent Guidance from the Director of the Division of Corporation Finance
Announcement Regarding Selective Disclosure. On June 20, 2024, Division of Corporation Finance Director Erik Gerding clarified in an announcement that “[n]othing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K." Gerding noted that sharing information with commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor may assist with remediation, mitigation, or risk avoidance efforts and may facilitate those parties' compliance with their own incident disclosure and reporting obligations.
Statement Regarding Use of Item 1.05 vs. 7.01/8.01. Previously, on May 21, 2024, Gerding released a statement setting forth certain of his views with respect to when it is appropriate to use Item 1.05 of Form 8-K, as opposed to Item 7.01 or Item 8.01, to report a cybersecurity incident. More details on Gerding's statement can be found in our previous blog post.
New Compliance and Disclosure Interpretations
On June 24, 2024, the Staff issued five new C&DIs related to Item 1.05, all of which address ransomware. We believe that the Staff may be concerned that companies are making materiality conclusions based simply on the dollar amounts paid to threat actors, or whether the payments were reimbursed by insurance. The Staff makes clear that a more thorough analysis is needed.
The new C&DIs address the following issues related to the cybersecurity incident reporting requirements:
- Question 104B.05 – resolution of an incident prior to the materiality determination (e.g., as a result of a ransomware payment) does not relieve the company of the requirement to make the determination.
- Question 104B.06 – resolution of an incident that the company has determined to be material prior to the Form 8-K deadline (e.g., as a result of a ransomware payment) does not relieve the company of the requirement to report the incident on Form 8-K.
- Question 104B.07 – receipt of an insurance reimbursement is not dispositive for an incident's materiality.
- Question 104B.08 – the size of the ransomware payment is not dispositive for an incident's materiality.
- Question 104B.09 – related incidents should be evaluated collectively to assess materiality.
Question 104B.05 and 104B.06 – Materiality Determination and Reporting Obligations
Item 1.05(a) of Form 8-K provides the reporting requirement for material cybersecurity incidents, stating that a company must disclose if it “experiences a cybersecurity incident that is determined by the [company] to be material[.]" Instruction 1 to Item 1.05 further provides that the company's materiality determination “must be made without unreasonable delay after discovery of the incident."
In Question 104B.05, the Staff clarifies that Item 1.05 “requires a [company] that experiences a cybersecurity incident to determine whether that incident is material," including when the cybersecurity incident ceases prior to the company's materiality determination. The Staff gives the example of a ransomware attack where the company pays the ransom fee and the threat actor ceases its attack before the company has made a materiality determination. The Staff notes that in this situation, the company must still determine whether the incident is material, and that the company cannot conclude that the incident is immaterial simply because the event has ceased. This intuitively makes sense, given that a ransomware event often includes data exfiltration as well as encrypting servers; the provision of a decrypt key may resolve one aspect of the attack, but companies must still navigate numerous other aspects ranging from regulatory notices to significant investments to harden a victim's IT environment. The Staff cites the standard for materiality, noting that the company must determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available," notwithstanding that the incident has been resolved.
In Question 104B.06, the Staff confirms that a cybersecurity incident that is determined to be material but ceases prior to the Form 8-K filing deadline, must still be reported on Form 8-K. For example, if a company has determined that an incident is material and subsequently pays a ransomware fee and the threat actor ceases its attack before the company has reported the incident on a Form 8-K, the company is still obligated to report the incident on Form 8-K within the deadline of four business days after the materiality determination.
The Staff's guidance in these CD&Is reflects an expectation that companies adhere to the Item 1.05 requirements regardless of whether the incident ceases prior to the materiality determination or Form 8-K filing deadline.
Questions 104B.07 and 104B.08 – Materiality Considerations
In Questions 104B.07 and 104B.08, the Staff reiterates the factors that companies should consider in making their materiality determinations. In Question 104B.07, the Staff confirms that a cybersecurity incident may still be material where a company received reimbursement for all or a substantial portion of a ransomware payment made in connection with the incident. The Staff points to the materiality standard expressed above and quotes the adopting release guidance that companies “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors" including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis." In the case of an insurance reimbursement, the Staff notes that the company should consider “an assessment of the subsequent availability of, or increase in cost to the [company] of, insurance policies that cover cybersecurity incidents."
In Question 104B.08, the Staff confirms that the size of a ransomware payment is not dispositive to an incident's materiality, and that a cybersecurity incident may still be material where it involved a small ransomware payment. The Staff notes that the SEC declined to set a quantifiable trigger in the final rule given the potential for an incident to be material without crossing a particular financial threshold, and emphasizes that companies should be assessing qualitative factors, such as the incident's impact on the company's reputation, in addition to quantitative factors.
The Staff's guidance in these CD&Is emphasizes the SEC's previously expressed expectations with respect to the materiality analysis for cybersecurity incidents. While companies may look to readily quantifiable factors, such as the size of a ransom payment and length of a disruption in service, in determining whether an incident was material, companies should be mindful that they are not dispositive, and also consider both “soft" qualitative factors, such as potential impacts on reputation and customer relationships (particularly in situations in which data exfiltration has occurred in connection with the incident), and more complex quantitative factors, such as the costs to replace or improve impacted IT servers and harden the IT environment, notification costs, and lasting impacts on insurance costs, in assessing an incident's materiality.
Question 104B.09 – Series of Related Incidents
In Question 104B.09, the Staff reiterates guidance from the adopting release indicating that companies should assess the materiality of a series of related incidents in the aggregate. The Staff gives the example of a company that experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. In such a situation, the Staff states that the company should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, are material. The Staff notes that the definition of “cybersecurity incident" used in Item 1.05 includes “a series of related unauthorized occurrences" and cites the adopting release, including the examples of “the same malicious actor" that “engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material" and “a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company's business materially."
Reminder Regarding Prior C&DIs
This latest guidance follows four earlier CD&Is published in December 2023, which addressed the Item 1.05(c) exception permitting a delay in reporting under certain limited circumstances as determined by the United States Attorney General.
* * *
Thank you to associate Matt Dolloff from our New York office for his assistance with this post.