Securities Law / Privacy, Cyber & Data Strategy / Securities Litigation Advisory | SEC Corporation Finance Provides Additional Guidance on the Disclosure of Material Cybersecurity Incidents in Form 8-K

On June 24, 2024, the Division of Corporation Finance (Corp Fin) of the Securities and Exchange Commission (SEC) issued five new compliance and disclosure interpretations (C&DIs) related to the disclosure of “material” cybersecurity incidents in Item 1.05 of current reports on Form 8-K. The C&DIs present hypothetical fact patterns related to ransomware attacks and insurance reimbursement for damages related to cybersecurity incidents. The release of these C&DIs highlights the SEC’s increased focus on cybersecurity disclosures, while also noting the issues and challenges companies face when encountering cybersecurity incidents.

Key Takeaways

1. Companies are required to make a materiality determination following a completed ransomware attack. Even if the ransomware payment was made and the disruption of the operations by the threat actor was resolved before a materiality determination, companies are still required to determine whether that incident is material. (Q&A 104B.05)
2. Companies must still disclose a material completed ransomware attack or other cybersecurity incident. If an incident is determined to be material, the incident must be reported under Item 1.05 of Form 8-K within four business days, even if the cessation or apparent cessation of the incident occurs before the company reports the incident or files a Form 8-K. (Q&A 104B.06)
3. Insurance reimbursement for a ransomware payment does not resolve a materiality determination. Reimbursement for a ransomware payment under a company’s insurance policy does not necessarily mean that the incident has been rendered immaterial. The company must consider the relevant facts and circumstances, such as immediate and long-term effects on the company’s finances, operations, customer relationships, and more, when making a materiality determination. (Q&A 104B.07)
4. The amount of ransomware payment does not, standing alone, determine whether a cybersecurity incident is material. The size of the ransomware payment does not determine whether the cybersecurity incident is material. The ransomware payment is one of various factors that a company should consider when making a materiality determination. (Q&A 104B.08)
5. A series of related immaterial cybersecurity incidents could be considered material. If a company experiences a series of cybersecurity incidents that are individually determined to be immaterial, the company should consider whether these incidents are related, and if so, determine whether these incidents, collectively, are material. Based on the examples provided by the SEC, cybersecurity incidents may be considered related if they involve the same threat actor engaging in smaller, continuous cyberattacks against the same company or multiple threat actors exploiting the same vulnerability and collectively interfering with the company’s business operations. (Q&A 104B.09)

Corporation Finance Director Statements

These C&DIs follow a recent Corp Fin statement issued on June 20, 2024 to correct a purported misunderstanding by issuers that the SEC’s cybersecurity disclosure rules prohibit companies from discussing material cybersecurity incidents with their commercial counterparties, such as vendors and customers. Building upon the May 22, 2024 Corp Fin statement, this statement clarifies that Regulation Fair Disclosure (FD), which requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, applies to cybersecurity incidents the same way it applies to all other information. The statement clarifies that, beyond the requirements of Regulation FD, the rules do not prohibit a company from privately discussing a material cybersecurity incident with other parties or from providing nonpublic information about the incident to those parties.

The statement also emphasizes that the private disclosure of additional information about a material cybersecurity incident beyond what was included in Item 1.05 on Form 8-K may not implicate Regulation FD. For instance, the SEC notes that the information shared about the material cybersecurity incident may itself be immaterial or the recipients of the information may not be the types of parties covered by Regulation FD.

Next Steps

Because the release of these additional C&DIs emphasizes the SEC’s heightened focus on cybersecurity disclosures and highlights the challenges that companies may face in meeting these disclosure requirements, companies should refer to the SEC’s C&DIs to determine whether such incidents may be considered material for disclosure purposes. 

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.