LawFlash

SEC Releases Interpretations on Ransomware Attacks and Payment Disclosures

22. Juli 2024

The US Securities and Exchange Commission (SEC), Division of Corporation Finance on June 24, 2024 issued five Compliance and Disclosure Interpretations (C&DIs) on its website to address questions raised by its requirement for public companies to report material cybersecurity incidents under Form 8-K’s new Item 1.05. The new interpretations address scenarios involving ransom attacks and how they can impact the reporting requirement.

The SEC’s disclosure mandate, which went into effect on December 18, 2023, requires public companies to report certain details of a cybersecurity incident within four days of determining the incident is material. The mandate also requires companies to provide certain expanded standardized cybersecurity-related disclosures and assessments in their annual reports.

As noted in a previous LawFlash, the SEC added a new Item 1.05 to Form 8-K requiring disclosure of material cybersecurity incidents. We pointed out that while the requirement to report such an incident within four days may be challenging when compared to other breach notification laws in the United States—which typically require reporting within 30–60 days—the triggering date for the Form 8-K filing is the date a company concludes that a cybersecurity incident is material, not the date the event occurred nor the date the company became aware of it.

Upon determining a cybersecurity incident is material, the SEC requires a company to describe:

  • the material aspects of the nature, scope, and timing of the incident; and
  • the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.

On December 14, 2023, Division of Corporation Finance Director Erik Gerding released a statement providing further insight into the disclosure requirement. A second statement was released on May 21, 2024, which affirmed the triggering event for new Item 1.05 was upon the determination that the event was material and cautioned companies against using Item 1.05 to report any cybersecurity event prior to a materiality determination. In this respect, the director noted that companies were not discouraged from voluntarily reporting cybersecurity events that were not yet deemed material, but underscored the important distinction between a voluntary disclosure and one under Item 1.05 of Form 8-K.

The New Interpretations

On June 24, the SEC added to its website five C&DIs related to the incident disclosure requirement, which we summarize below:

104B.05

Even after making a ransom payment to a threat actor that results in the return of the data and/or the end of the cybersecurity incident, the registrant is still required to make a materiality determination. In making its determination, the registrant cannot automatically conclude that the incident is not material simply because of the apparent cessation of the incident through the payment but rather must analyze whether there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.

104B.06

After a determination that an incident was material, the registrant must report it, even after making a ransom payment to a threat actor that results in the return of the data and/or the end of the cybersecurity incident.

104B.07

That insurance covering all or a substantial part of a ransomware payment should not preclude the determination that an incident was material. In fact, registrants should include in their determination an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents.

104B.08

The size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination.

104B.09

A series of related ransom attacks, although each themselves immaterial, should be assessed as a whole and a registrant should determine whether those related incidents, collectively, were material.

Further Reading

For more information, see our thought leadership on the following data breach notifications and regulations:

How We Can Help

The complex potential reporting environment for financial services companies underscores the importance of careful planning. Our team at Morgan Lewis stands ready to assist companies with developing their incident response plan and incident response team, conducting tabletop exercises, and keeping up to date on current developments that may impact their comparative risk and potential reporting obligations. 

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Authors
Ezra D. Church (Philadelphia)
Gregory T. Parks (Philadelphia)
Kristin M. Hadgis (Philadelphia)
Celia A. Soehner (Pittsburgh / New York)
Erin E. Martin (Washington, DC / New York)
Martin Hirschprung (New York)