On June 24, 2024, the SEC’s Division of Corporation Finance issued five new Compliance and Disclosure Interpretations (C&DIs) to clarify cybersecurity incident reporting under Item 1.05 of Form 8-K, specifically addressing situations involving ransomware payments. These updates follow recent guidance from Corporation Finance Director Erik Gerding on cybersecurity disclosures. Item 1.05 of Form 8-K, adopted on July 26, 2023, requires public companies to disclose material cybersecurity incidents within four days of determining the incident’s materiality, detailing the nature, scope, timing, and impact on the company’s financial condition and operations. Companies must promptly assess the materiality of incidents and amend disclosures if new material information arises. 

The new C&DIs emphasize that companies must assess the materiality of a ransomware attack even if a payment resolves the incident before making this determination. The cessation of the incident due to a payment does not exempt companies from this obligation. If a ransomware attack is deemed material, companies must report it under Item 1.05 of Form 8-K, regardless of whether a payment ends the incident before the filing deadline. Additionally, the existence of cyber insurance covering the ransomware payment does not automatically render the incident immaterial. The size of the ransomware payment alone is not determinative of materiality; companies should consider all relevant quantitative and qualitative factors, including the broader impact on operations, finances, and reputation. Furthermore, if a company experiences multiple related cybersecurity incidents that are individually immaterial, it should evaluate whether these incidents collectively amount to a material event. 

Director Gerding’s guidance highlights that only material cybersecurity incidents should be disclosed under Item 1.05. For voluntary disclosures of non-material incidents, companies should use a different Form 8-K item, such as Item 8.01, to avoid investor confusion. Companies should consider both quantitative impacts, such as financial losses, and qualitative impacts, such as reputational damage and customer trust, in their materiality assessments. This comprehensive approach ensures that investors receive clear and accurate information, aligning with the SEC’s emphasis on robust cybersecurity risk management and transparency in ESG-related disclosures. 

Sources: 

https://www.mofo.com/resources/insights/240625-u-s-sec-issues-updated-guidance-on-cybersecurity-disclosure 

https://www.securitiesdocket.com/2024/06/26/u-s-sec-issues-updated-guidance-on-cybersecurity-disclosure-under-item-1-05-of-form-8-k-morrison-foerster/