Corp Fin has just issued a new set of CDIs under Form 8-K, Item 1.05, Material Cybersecurity Incidents. The SEC adopted final rules regarding cybersecurity disclosure in 2023, requiring companies “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” Under the final rules, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The materiality determination regarding a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. To the extent that the required information has not been determined or is unavailable at the time of the required filing, the company is required to include a statement to that effect in the filing and then file an amendment to its Form 8-K containing that information within four business days after the company, without unreasonable delay, determines the information or the information becomes available. (See this PubCo post.) Generally, the new CDIs address Form 8-K Item 1.05 filings in the context of cybersecurity incidents that involve ransomware attacks that result in a disruption in operations or the exfiltration of data. Summaries are below, but each CDI number below is linked to the CDI on the SEC website, so you can easily read the version in full.
Question 104B.05. After discovery of a cybersecurity incident involving a ransomware attack that resulted in a disruption in operations or the exfiltration of data, but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor ends the disruption of operations or returns the data. Under Item 1.05 of Form 8-K, Corp Fin advises, the registrant is still required to make a determination as to whether that incident is material, even if the ransomware has been paid and the incident has been resolved. In addition, in making the required materiality determination, the registrant cannot simply conclude that the incident is not material because it has ceased or been resolved. Rather, in assessing the materiality of the incident, the registrant should, as the SEC noted in the adopting release for Item 1.05, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding resolution of the incident.
Question 104B.06. This time, after a registrant experiences a ransomware attack that results in a disruption in operations or the exfiltration of data, the registrant determines that the incident had a material impact or is reasonably likely to have a material impact on the registrant, including on its financial condition and results of operations. The registrant makes a ransomware payment, and the threat actor ends the disruption of operations or returns the data before the registrant files an Item 1.05 Form 8-K. Because the incident was determined to be material, Corp Fin advises, the “subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident.”
Question 104B.07. Same general situation with a ransomware attack and payment, but here the registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. According to Corp Fin, the reimbursement doesn’t necessarily mean that the incident is now not material. The registrant has to apply the usual standard—“if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available”—to assess materiality. In addition, as indicated in the adopting release, “when assessing the materiality of cybersecurity incidents, registrants ‘should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors’ including, for example, ‘consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.’ Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents.”
Question 104B.08. Another ransomware attack, but this one involving only a small ransomware payment. According to Corp Fin, the size of the payment is not, by itself, determinative as to whether the cybersecurity incident is material. The registrant will need to apply the usual standard—“if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available”— for assessing the materiality of the incident, and the size of the ransomware payment is only one of the facts and circumstances that should be considered. In addition, Corp Fin highlights that, in adopting the rules, the SEC “declined ‘to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.’” In the adopting release, the SEC stated that the “material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.”
Question 104B.09. A series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors, may be immaterial individually, but could be required to be disclosed, depending on the particular facts and circumstances. Corp Fin advises that the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents were, collectively, material. The definition of “cybersecurity incident” under Reg S-K Item 106(a) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the SEC noted that
“when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.”