U.S. SEC Issues Updated Guidance on Cybersecurity Disclosure Under Item 1.05 of Form 8-K

On June 24, 2024, the Staff of the U.S. Securities and Exchange Commission (SEC)’s Division of Corporation Finance (“Corporation Finance”) issued five new Compliance and Disclosure Interpretations (“C&DIs”) to address certain interpretative issues regarding cybersecurity incident reporting under Item 1.05 of Form 8-K where a company has made a ransomware payment. The new C&DIs supplement four C&DIs published by the Staff in December 2023 and follow recent statements by Corporation Finance Director Erik Gerding providing further explanatory guidance on reporting cybersecurity incidents.

Both the updated C&DIs and Director Gerding’s guidance are covered in more detail below.

Background

Item 1.05 of Form 8-K, adopted by the SEC on July 26, 2023, generally requires public companies to disclose material cybersecurity incidents within four days of determining that the incident is material. Such disclosure must contain the nature, scope, and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition, and its results of operations. Companies are required to assess the materiality of a cybersecurity incident without unreasonable delay following discovery. If new information becomes available after the initial filing of the Form 8-K and such information impacts the materiality of the cybersecurity incident, the company is required to amend its Form 8-K within four business days of that information becoming available.

Compliance and Disclosure Interpretations, Form 8-K

The new C&DIs address materiality determinations in instances where payments have been made to threat actors and remind companies that these decisions should take multiple factors into account. In brief, the C&DIs explain that:

• If a company experiencing a ransomware attack makes a payment that causes the cyber attack to end before a materiality determination is made, the company must still assess the materiality of the incident.
• If a company determines a ransomware attack is material and makes a payment that causes the attack to end before the company has reported the incident on Form 8‑K, the company is not relieved of its requirement to report the incident.
• If a company’s cyber insurance policy covers the cost of a ransomware payment, this fact alone would not support a conclusion that the incident was immaterial.
• The amount demanded or paid in a ransomware payment should not be the sole factor in assessing the materiality of an incident.
• If a company experiences a series of ransomware attacks over time that are individually immaterial, it should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material.

Accordingly, and consistent with the Staff’s views on materiality more generally, companies should assess materiality decisions relating to cybersecurity incidents by taking into consideration all relevant facts and circumstances, which should involve consideration of both quantitative and qualitative factors.

Section 104B. Item 1.05 Material Cybersecurity Incidents.

Question 104B.05

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?

Answer: Yes. Item 1.05 of Form 8-K requires a registrant that experiences a cybersecurity incident to determine whether that incident is material. The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.

Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted). [June 24, 2024]

Question 104B.06

Question: A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?

Answer: Yes. Because the registrant experienced a cybersecurity incident that it determined to be material, the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. [June 24, 2024]

Question 104B.07

Question: A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and is reiterated in Question 104B.05. Further, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]. Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. [June 24, 2024]

Question 104B.08

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and reiterated in Question 104B.05. Under that standard, the size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination regarding the cybersecurity incident. Further, in the adopting release for Item 1.05 of Form 8-K, the Commission declined “to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.”

Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05. As the Commission further stated in Item 1.05’s adopting release:

[T]he material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)]. [June 24, 2024]

Question 104B.09

Question: A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?

Answer: Disclosure of those cybersecurity incidents may, depending on the particular facts and circumstances, be required pursuant to Item 1.05 of Form 8-K. In these circumstances, the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” under Item 106(a) of Regulation S-K (which, as noted in Instruction 3 to Item 1.05, is the definition that applies to Item 1.05 of Form 8‑K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:

[W]hen a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)]. [June 24, 2024]

Corporation Finance Director Statements

On May 21, 2024, SEC Corporation Finance Director Erik Gerding published a statement with explanatory guidance regarding cybersecurity incidents under Item 1.05 of Form 8-K. The key takeaway of the statement is that only material cybersecurity incidents should be disclosed under Item 1.05 of Form 8-K. If a company chooses to voluntarily disclose cybersecurity incidents that are not material or for which materiality has not yet been determined, they are encouraged to make such disclosures under a different item of Form 8-K, such as Item 8.01. Item 1.05 of Form 8-K should not be used to disclose immaterial or potentially immaterial events.

Director Gerding recognized that making disclosures in this way may cause companies to disclose cybersecurity incidents under Item 8.01 of Form 8-K that are initially thought to be immaterial but are later discovered to be material. In such instances, companies must file an Item 1.05 Form 8-K within four business days of such materiality determination. The new filing can reference the earlier Item 8.01 Form 8-K, so long as it independently satisfies Item 1.05’s disclosure requirements.

The adopting release for Item 1.05 of Form 8-K clearly states that information should be deemed “material” if there is a substantial likelihood that a reasonable shareholder would consider it “important” when making investment decisions or if it the information would have “significantly altered the ‘total mix’ of information made available.” Director Gerding’s statement adds that companies should assess all relevant factors in determining the materiality of a cybersecurity incident. Specifically, materiality assessments should extend beyond quantitative factors like the impact on results of operations and financial condition to include qualitative factors such as harm to the company’s reputation, customer and vendor relationships, and competitiveness. Further, companies should consider the possibility of legal or regulatory actions by state, federal, and non-U.S. authorities.

Overarchingly, Director Gerding’s statement reflects a desire to eliminate investor confusion that may be caused by companies disclosing immaterial cybersecurity incidents under Item 1.05 of Form 8-K, which is entitled “Material Cybersecurity Incidents.” He fears that such disclosure will cause investors to “misperceive immaterial cybersecurity incidents as material, and vice versa.” Thus, while Item 1.05 does not expressly forbid voluntary filings of immaterial cybersecurity incidents, Director Gerding encourages companies to file only material cybersecurity incidents under Item 1.05 and use other Items of Form 8-K for disclosure of incidents that are not material or for which materiality has not yet been determined.

Director Gerding noted that his statement should not discourage the voluntary disclosure of cybersecurity incidents that do not meet Item 1.05’s materiality requirement. In fact, he specifically notes the value that these voluntary disclosures have to investors, to the marketplace, and to companies themselves. Instead, Director Gerding emphasized that his statement is intended to encourage these voluntary disclosures, just in a manner that does not result in investor confusion or diminish the value of disclosures made properly under Item 1.05 regarding material cybersecurity incidents.

In addition, Director Gerding issued a statement on June 20, 2024, concerning selective disclosure of information regarding cybersecurity incidents. Director Gerding’s statement reflects some concerns issuers have expressed that the cybersecurity reporting rules may be in tension with the prohibitions on selective disclosure in Regulation FD. The statement, however, attempts to clarify the relationship between Regulation FD and the cybersecurity reporting requirements.

According to Director Gerding’s statement, “[n]othing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8‑K. Those parties may include commercial counterparties, such as vendors and customers, as well as other companies that may be impacted by, or at risk from, the same incident or threat actor.”

With respect to Regulation FD, the statement notes that there “are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.” In other instances, the statement notes, an exclusion may apply. For example, information may be shared with a person who owes a duty of trust or confidence to an issuer (such as an attorney, investment banker, or accountant).

While attempting to assuage concerns, the Director’s statement nonetheless highlights some of the tension and issues that arise when dealing with a cybersecurity incident. Such issues are often sensitive and fast moving, involving a host of regulatory complexities. Public companies faced with a cybersecurity incident are urged to consult with their advisors.