Cyber Update: SEC Issues New Guidance on Cybersecurity Incident Disclosure
On June 24, 2024, the U.S. Securities and Exchange Commission (SEC) Division of Corporation Finance (Corp Fin) added to its Compliance and Disclosure Interpretations (C&DI) related to disclosure of Material Cybersecurity Incidents. The five new questions and answers address the need for an Item 1.05 of Form 8-K disclosure related to various ransomware scenarios.
These five new examples appear to be Corp Fin’s attempt at ameliorating the continued uncertainty surrounding the SEC’s new cybersecurity disclosure requirements. As we previously noted, on May 21, 2024, the Director of Corp Fin, Erik Gerding, chastised issuers for the persistent filing of “voluntary” cyber incident disclosures that did not comply with the new rules requiring disclosure of material cyber incidents within four business days of a materiality determination. The new examples stress the need to report once an incident has been determined to be material, regardless of when that determination is made in the cyber incident cycle.
According to the Corp Fin, C&DIs are “interpretations reflect[ing] the views of the staff of the Division,” and “do not necessarily discuss all material information necessary to reach the conclusions stated,” are “not binding due to their highly informal nature,” and are “intended as general guidance and should not be relied upon as definitive.” Given the highly fact-specific nature of every cybersecurity incident, the five new C&DIs attempt to clarify guidance in the adopting release for Item 1.05 of Form 8-K and the Corp Fin’s May 21 statement, but hopefully they demonstrate – for now – the SEC’s willingness to be understanding of the difficulty companies have making materiality determinations in this space.
Questions 104B.05 -104B.09 address ransomware attacks and whether disclosure is required in various scenarios. In 104B.05, the hypothetical involves a company that paid the ransom demanded by a threat actor, ending the disruption before a materiality determination is made. The CD&I answers that the issuer is not relieved of the obligation to make the materiality determination even if the attack and disruption have ended.
Similarly, Question 104B.06 asks whether a report is required if a company makes a materiality determination but the attack ends before the deadline for filing an 8-K under the new rules. The CD&I answers again in the affirmative. The fact that the attack has ended does not terminate the filing obligation.
Question 104B.07 asks whether the fact that an insurance policy covered a ransomware payment made to end an attack necessarily makes the attack immaterial for purposes of the rule, since the company was reimbursed. The C&DI answers in the negative, noting that in assessing materiality, the company would have to assess the availability or cost of future cybersecurity policies.
Question 104B.08 asks whether the size of a ransomware payment, by itself, is determinative of materiality of an event. Again the CD&I answers in the negative, noting that the size itself of a ransomware payment is only one factor to consider is assessing both quantitative and qualitative harms. As in the release accompanying the final rules and the May 2024 Corp Fin statement, the consideration of quantitative and qualitative factors seems to expand the impacts and variables that must be taken into account in a company’s materiality determination.
Finally, Question 104B.09 asks about a series of cybersecurity incidents over a period of time, which individually are determined to be immaterial. The CD&I answers that the issuer should consider whether the individual incidents were related and determine if “collectively” they were material. Relatedness could mean both involving the same bad actor or multiple actors exploiting the same vulnerability.
The key takeaways from these new CD&Is are that while the SEC continues to purport to work with industry to help define the new cybersecurity disclosure rules, Corp Fin at least takes the position that the answers are already readily available in the administrative record related to the implementation of the Rule and the Commission’s guidance issued with it, including the instructions for Item 1.05. Given that the decision will always come back to a determination of materiality, issuers need to carefully and holistically approach that determination and be able to document their thinking – especially where the determination is made not to disclose. Doing so requires companies to have a cybersecurity program that both accounts for the SEC’s cyber incident disclosure rules and is sufficiently tied into the issuer’s disclosure process such that seemingly unrelated, remediated, or insignificant incidents are properly considered in light of the new rules. The SEC is again making it clear that it wants to see public companies go through the actual materiality determination process when faced with a cyber incident.