The SEC’s Division of Corporation Finance today published five new Compliance and Disclosure Interpretations, or “C&DIs,” all concerning Item 1.05 of Exchange Act Form 8-K, Disclosure of Cybersecurity Incidents.
New C&DI 104B.05 describes a ransomware attack on a public company ended by a payment to the threat actor before any materiality evaluation of the incident. The C&DI holds that, despite the end of the attack, the company must still make a materiality determination for the event. The interpretation necessarily implies that a report on Form 8-K would be required in the event that the incident was found to be material on general securities law principles.
Question 104B.06 describes a material cybersecurity incident that is ended or remediated by a ransom payment before the filing of a report on 8-K. The interpretation holds that a current report is still required.
Insurance covering all or a substantial part of a ransomware payment may not mean that that an associated cybersecurity incident must have been immaterial in the view expressed in Question 104B.07.
In the SEC staff’s perspective, the size of a ransomware payment is only one factor to consider in the materiality assessment of a cybersecurity incident. Thus, under Question 104B.08, a small ransomware payment would not categorically mean that the related incident was immaterial.
In Question 104B.09, a public company experiences a series of individually immaterial cybersecurity incidents. In the described circumstances, the company must determine whether any incidents were related and, if so, assess whether the related events were cumulatively material.