Corp Fin Issues New Cybersecurity Incident Disclosure CDIs | Cooley LLP

Corp Fin just issued a new set of CDIs under Form 8-K, Item 1.05, Material Cybersecurity Incidents. The SEC adopted final rules on cybersecurity disclosure in 2023 that require companies to “disclose material cybersecurity incidents they experience and to disclose annually material information regarding their cybersecurity risk management, strategy and governance.” Under the final rules, a public company that experiences a cybersecurity incident that the company determines to be material must file a Form 8-K under the new Item 1.05 describing the “material aspects of the nature, extent, and timing of the incident and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The materiality determination with respect to a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. Unless the required information has been discovered or is unavailable at the time of the required filing, the company must include a statement to that effect with the filing and then file an amendment to its Form 8-K with that information within four business days after the company discovers the information without unreasonable delay or the information becomes available. (See this PubCo post.) Generally, the new CDIs refer to Form 8-K Item 1.05 filings related to cybersecurity incidents involving ransomware attacks that result in operational disruption or exfiltration of data. Summaries are provided below, but each CDI number below is linked to the CDI on the SEC website, so you can easily read the full version.

Question 104B.05. After discovering a cybersecurity incident involving a ransomware attack that resulted in a business interruption or exfiltration of data, but before determining whether the incident is material, the registrant makes a ransomware payment and the threat actor ends the business interruption or returns the data. Under Item 1.05 of Form 8-K, Corp Fin says, the registrant must still determine whether this incident is material even if the ransomware has been paid and the incident has been resolved. Moreover, in making the required materiality determination, the registrant cannot simply conclude that the incident is not material because it has ceased or been resolved. Rather, in assessing the materiality of the incident, as the SEC noted in the adoption statement for Item 1.05, the registrant should determine “whether there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or whether it would have significantly changed the overall composition of the information provided,” regardless of the resolution of the incident.

Question 104B.06. This time, a registrant determines that the incident had, or is reasonably likely to have, a material impact on the registrant, including its financial condition and results of operations, after experiencing a ransomware attack that results in business interruption or exfiltration of data. The registrant makes a ransomware payment and the threat actor terminates the business interruption or returns the data before the registrant files a Form 8-K under Item 1.05. Because the incident was determined to be material, Corp Fin advises that the “subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the obligation to report the incident under Item 1.05 of the Form 8-K within four business days after the registrant determines that it experienced a material cybersecurity incident.”

Question 104B.07. Same general situation with a ransomware attack and related payment, but here the registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. According to Corp Fin, reimbursement does not necessarily mean that the incident is now no longer material. The registrant must apply the usual standard — “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly changed the overall composition of the information provided” — to assess materiality. In addition, as stated in the adoption statement, registrants should “consider all relevant facts and circumstances when assessing the materiality of cybersecurity incidents, which may include considering both quantitative and qualitative factors,” including, for example, “considering both the immediate consequences and any longer-term impacts on operations, finances, brand perception, customer relationships, etc. as part of their materiality analysis.” In the circumstances described in this question, such an assessment may also include an assessment of the subsequent availability of insurance policies covering cybersecurity incidents or the increase in costs to the registrant.”

Question 104B.08. Another ransomware attack, but this one involves only a small ransom payment. According to Corp Fin, the amount of the payment is not the sole determinant of whether the cybersecurity incident is material. The registrant must apply the usual standard – “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly changed the overall composition of the information provided” – to assess the materiality of the incident, and the amount of the ransom payment is only one of the facts and circumstances that should be considered. In addition, Corp Fin highlights that in adopting the rules, the SEC “declined to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents can be material but without exceeding a specific financial threshold.” In the adoption statement, the SEC explained that the “material impact of an incident can include a range of harms, some quantitative and some qualitative. A lack of quantifiable damage does not necessarily mean that an incident is not material. For example, an incident that results in significant reputational damage to a registrant may not exceed a certain quantitative threshold, but should still be reported if the reputational damage is material.”

Question 104B.09. A series of cybersecurity incidents involving ransomware attacks over a period of time, either by a single threat actor or by multiple threat actors, may be individually immaterial but may require disclosure depending on the particular facts and circumstances. Corp Fin advises the registrant to consider whether any of these incidents were related and, if so, to determine whether these related incidents were material in the aggregate. The definition of a “cybersecurity incident” under Reg SK Item 106(a) includes “a series of related, unauthorized incidents.” In the adoption statement on Item 1.05, the SEC noted that

“If an entity determines that it has been significantly impacted by a series of related cyberattacks, item 1.05 may be triggered even if the significant impact or the reasonably likely significant impact could be apportioned across the multiple attacks so that each would be insignificant on its own. An example was given in the Proposing Release: the same malicious actor conducts a series of smaller but continuous cyberattacks that are linked in time and form and target the same entity, and that together are either quantitatively or qualitatively significant. Another example is a series of related attacks by multiple actors that exploit the same vulnerability and together significantly impede the entity’s business.”

(View source code.)