SEC Issues Interpretations on Ransomware Attacks and Payment Disclosures – Publications

The U.S. Securities and Exchange Commission (SEC), Division of Corporation Finance, published five Compliance and Disclosure Interpretations (C&DIs) on its website on June 24, 2024, to answer questions arising from the obligation of listed companies to report material cybersecurity incidents under the new Item 1.05 of Form 8-K. The new interpretations address scenarios involving ransomware attacks and their impact on the reporting requirement.

The SEC’s disclosure requirement, which took effect on December 18, 2023, requires publicly traded companies to report certain details of a cybersecurity incident within four days of determining the incident was material. The requirement also requires companies to provide certain enhanced standardized cybersecurity disclosures and assessments in their annual reports.

As mentioned in a previous LawFlash, the SEC added a new Item 1.05 to Form 8-K requiring disclosure of material cybersecurity incidents. We noted that while the requirement to report such an incident within four days may be challenging compared to other breach notification laws in the U.S.—which typically require reporting within 30-60 days—the key date for filing Form 8-K is the date a company concludes that a Cybersecurity incident is essentialnot the date on which the event occurred or the date on which the Company became aware of it.

If the SEC determines that a cybersecurity incident is material, it requires a company to describe the following:

• the essential aspects of the nature, extent and timing of the incident; and
• the material impact or reasonably likely material impact on the entity, including its financial position and results of operations.

On December 14, 2023, Erik Gerding, Director of Finance for the Division of Corporation, issued a statement providing further insight into the disclosure requirement. A second statement was issued on May 21, 2024, confirming that the triggering event for the new Item 1.05 was the determination that the event was material and cautioning companies against using Item 1.05 to report cybersecurity events prior to a materiality determination. In this regard, the Director noted that companies were not discouraged from voluntarily reporting cybersecurity events that were not yet deemed material, but underscored the important difference between a voluntary disclosure and a disclosure under Item 1.05 of Form 8-K.

The new interpretations

On June 24, the SEC added five C&DIs related to the disclosure requirement of incidents to its website, which we summarize below:

104B.05

Even after paying a ransom to a threat actor resulting in the return of data and/or the termination of the cybersecurity incident, the registrant is still required to make a materiality determination. In making its determination, the registrant cannot automatically conclude that the incident is not material simply because the payment appears to have terminated the incident, but rather must analyze whether there is a substantial likelihood that a reasonable stockholder would consider it material in making its investment decision or whether it would have significantly changed the totality of the information provided.

104B.06

After determining that an incident was material, the registrant must report it, even after making a ransom payment to a threat actor that results in the return of data and/or the termination of the cybersecurity incident.

104B.07

The fact that insurance covers all or a substantial portion of a ransomware payment should not preclude a determination that the incident was material. Indeed, registrants should include in their determination an assessment of the subsequent availability or cost increase to the registrant of insurance policies that cover cybersecurity incidents.

104B.08

The amount of any ransom payment demanded or made is only one of the facts and circumstances that registrants should consider in determining materiality.

104B.09

A series of related ransomware attacks, although each individually insignificant, should be evaluated as a whole, and a registrant should determine whether those related incidents were material in the aggregate.

Further information

For more information, please see our discussion of the following data breach notifications and policies:

How we can help

The complex potential reporting environment for financial services firms underscores the importance of careful planning. Our team at Morgan Lewis is available to help firms develop their incident response plan and incident response team, conduct simulations and stay up to date with current developments that may impact their benchmark risk and potential reporting obligations.