Skip to main content

SEC Issues Updated Guidance on Cybersecurity Incident Disclosure Under Item 1.05 of Form 8-K

On June 24, 2024, the SEC issued five new Compliance & Disclosure Interpretations (C&DIs) relating to the materiality assessment and disclosure requirements of material cybersecurity incidents under Item 1.05 of Form 8-K.

As discussed in a previous Viewpoints advisory in July 2023, the SEC adopted new rules concerning cybersecurity risk management, strategy, governance, and incident disclosure, including current reporting of certain material cybersecurity incidents under the newly created Item 1.05 of Form 8-K.

These new C&DIs supplement four prior C&DIs published by the SEC in December 2023 and follow statements issued by Erik Gerding, Director of the SEC’s Division of Corporation Finance, in May 2024 (See our earlier Viewpoints advisory) and provide interpretative guidance on situations involving ransomware attacks. Under the new C&DIs (which can be read in full here):

  1. A registrant is required to make a materiality determination regarding a ransomware attack resulting in a disruption in operations or the exfiltration of data even if, before determining whether the incident is material, the registrant makes a ransomware payment and the incident ends or data is returned. In assessing the materiality of the incident, the registrant should determine “if there is a substantial likelihood that a reasonable shareholder would consider the incident important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have ended. Question 104B.05
  2. A registrant needs to disclose a ransomware attack that results in a disruption in operations or the exfiltration of data that the registrant has determined to be material even if the registrant makes a ransomware payment and the incident ends, or data is returned before the Item 1.05 Form 8-K filing deadline. Question 104B.06
  3. A cybersecurity incident involving a ransomware attack for which the registrant makes a ransomware payment that is covered by insurance may still be material. In assessing the materiality of the incident, the registrant “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors,” including, for example, “consider[ing] both the immediate fallout and any longer-term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis[,]” which may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. Question 104B.07
  4. The size of the ransomware payment with respect to a cybersecurity incident involving a ransomware attack, by itself, is not determinative as to whether the cybersecurity incident is material, but is only one of the facts and circumstances that a registrant should consider in making its materiality determination. Question 104B.08
  5. Disclosure of a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors, that the registrant determines are each immaterial individually may be required. In these circumstances, the registrant should consider whether any of those incidents were related and, if so, determine whether those related incidents, collectively, were material. Related incidents could come from the same bad actor or from multiple bad actors exploiting the same vulnerability. Question 104B.09

If you have questions about the new C&DIs or the reporting of any cybersecurity incident, please contact the authors of this Viewpoints advisory or your regular counsel at Mintz.
 

Subscribe To Viewpoints

Authors

Dan is a corporate and securities attorney whose practice spans the full gamut of corporate law. He has advised clients for over two decades in public and private equity and debt financings, securities law matters, mergers and acquisitions, and strategic advice on a broad range of other corporate matters. He capably counsels public and private companies with offerings, compliance, and securities questions and leads buyers and sellers throughout the transaction process. Dan represents life sciences companies as well as clients in other technology fields, financial services, and professional services firms.
Anne L. Bruno is a Member at Mintz who advises clients ranging from start-ups to multinational public companies on issues related to corporate and employment law, including executive compensation, employee benefits, securities law, and corporate governance. She is also a key member of the firm’s multidisciplinary ESG practice, helping corporate boards, companies, and their investors navigate a broad range of environmental, social, and governance considerations.

Kevin M. Yao

Associate

Kevin M. Yao is an Associate at Mintz who focuses his practice on corporate matters such as capital-raising transactions, mergers and acquisitions, corporate governance strategies, and SEC compliance issues.