SEC Staff Issues New Cybersecurity Interpretations

On June 24, 2024, the U.S. Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued five new Compliance and Disclosure Interpretations (104B.05-B.09) with respect to Item 1.05 of Form 8-K, summarized below.

• If after discovering a ransomware attack which results in a disruption in operations or exfiltration of data, but before determining whether the incident is material: (1) the registrant makes a ransomware payment and (2) the threat actor ends the disruption or returns the data, the registrant must still make a materiality determination regarding the incident and, if it determines the incident to be material, disclose it pursuant to Item 1.05 of Form 8-K. In assessing the materiality of the incident, the registrant should determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” even where the incident has already been resolved.
• If subsequent to a ransomware attack that results in a disruption in operations or the exfiltration of data that the registrant determines to be material, it makes a ransomware payment and the threat actor ends the disruption or returns the data before the 8-K deadline, the registrant must still disclose the incident pursuant to Item 1.05 of Form 8-K.
• A registrant may not conclude that a ransomware incident is not material merely because it will be reimbursed for the ransomware payment under its insurance policy; registrants should take into consideration all relevant facts and circumstances, which may involve quantitative and qualitative factors, including immediate/long term effects on operations, finances, brand perception, customer relationships, and an assessment of the subsequent availability of, or increased cost of, cybersecurity insurance.
• The size of a ransomware payment, by itself, is not determinative as to whether the cybersecurity incident is material (a lack of quantifiable harm does not necessarily mean an incident is not material). The size of any ransomware payment is only one of the facts and circumstances that registrants should consider in making a materiality determination.
• If a registrant experiences a series of cybersecurity incidents involving ransomware attacks over time (either by a single or multiple threat actors), and the registrant determines that each incident, individually, is immaterial, disclosure of those cybersecurity incidents may nonetheless be required. The definition of “cybersecurity incident” includes “a series of related unauthorized occurrences.” In making the determination, the registrant should consider whether any of the incidents were related, and whether the related incidents, collectively, were material (e.g., the same actor engages in several smaller but continuous attacks related in time and form, or multiple actors engage in a series of related attacks exploiting the same vulnerability and in either case the series of attacks collectively impedes the registrant’s business materially).

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.