close
close

SEC issues new guidelines on reporting cybersecurity incidents

On June 24, 2024, the SEC’s Division of Corporation Finance issued five new Compliance and Disclosure Interpretations (C&DIs) to clarify cybersecurity incident reporting under Item 1.05 of Form 8-K, specifically addressing situations involving ransomware payments. These updates follow recent guidance from Corporation Finance Director Erik Gerding on cybersecurity disclosures. Item 1.05 of Form 8-K, adopted on July 26, 2023, requires public companies to disclose material cybersecurity incidents within four days of determining the incident’s materiality, detailing the nature, scope, timing and impact on the company’s financial condition and operations. Companies must promptly assess the materiality of incidents and modify disclosures as new material information emerges.

The new C&DIs emphasize that companies must assess the materiality of a ransomware attack, even if a payment resolves the incident, before making that determination. Termination of the incident due to a payment does not relieve companies of that obligation. If a ransomware attack is deemed material, companies must report it under Item 1.05 of Form 8-K, regardless of whether a payment terminates the incident before the reporting deadline. In addition, the presence of cyber insurance that covers the ransomware payment does not automatically make the incident immaterial. The size of the ransomware payment alone is not a determinant of materiality; companies should consider all relevant quantitative and qualitative factors, including the broader operational, financial, and reputational impacts. In addition, if a company experiences multiple related cybersecurity incidents that are individually immaterial, it should evaluate whether those incidents together constitute a material event.

Director Gerding’s guidance emphasizes that only material cybersecurity incidents should be disclosed under Item 1.05. For voluntary disclosure of non-material incidents, companies should use another item on Form 8-K, such as Item 8.01, to avoid investor confusion. Companies should consider both quantitative impacts, such as financial losses, and qualitative impacts, such as reputational damage and customer trust, in their materiality assessments. This comprehensive approach ensures that investors receive clear and accurate information and is consistent with the SEC’s emphasis on robust cybersecurity risk management and transparency in ESG-related disclosures.

Sources:

https://www.mofo.com/resources/insights/240625-us-sec-issues-updated-guidance-on-cybersecurity-disclosure

https://www.securitiesdocket.com/2024/06/26/us-sec-issues-updated-guidance-on-cybersecurity-disclosure-under-item-1-05-of-form-8-k-morrison-foerster/