On June 24, 2024 the SEC published five (5) new compliance and disclosure interpretations (C&DI) on cybersecurity incident disclosures supplementing the C&DI published in December 2023 (see HERE).
Cybersecurity
In July, 2023 the SEC adopted final new rules requiring disclosures for both domestic and foreign companies related to cybersecurity incidents, risk management, strategy and governance (see HERE for a review of the new rules).
The cybersecurity rules add new Item 1.05 to Form 8-K requiring disclosure of a material cybersecurity incident including the incident’s nature, scope, timing, and material impact or reasonably likely impact on the company. An Item 1.05 Form 8-K is due within four business days following determination that a cybersecurity incident is material. Given the sensitive nature of cybersecurity crimes, the SEC has added a provision allowing an 8-K to be delayed if it is informed by the United States Attorney General, in writing, that immediate disclosure would pose a substantial risk to national security or public safety.
The delay can be up to the time specified by the Attorney General or 30 days with the ability to extend for an additional 30 days at the written request of the Attorney General. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing. Further, a company may delay filing the Form 8-K up to seven business days following notification of the Secret Service and FBI pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC.
Adding to the three C&DI published in December 2023, the SEC has now published five additional items of guidance. The new C&DI (published below) confirm that the cessation of and/or rectification of a cybersecurity incident does not bare on its materiality and the need to report in a Form 8-K.
Question 104B.05 – A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?
Answer – Yes. Item 1.05 of Form 8-K requires a registrant that experiences a cybersecurity incident to determine whether that incident is material. The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.
Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted).
Question 104B.06 – A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?
Answer – Yes. Because the registrant experienced a cybersecurity incident that it determined to be material, the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident.
Question 104B.07 – A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?
Answer – No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and is reiterated in Question 104B.05. Further, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]. Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents.
Question 104B.08 – A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?
Answer – No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and reiterated in Question 104B.05. Under that standard, the size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination regarding the cybersecurity incident. Further, in the adopting release for Item 1.05 of Form 8-K, the Commission declined “to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.”
Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05. As the Commission further stated in Item 1.05’s adopting release:
[T]he material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)]
Question 104B.09 – A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?
Answer – Disclosure of those cybersecurity incidents may, depending on the particular facts and circumstances, be required pursuant to Item 1.05 of Form 8-K. In these circumstances, the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” under Item 106(a) of Regulation S-K (which, as noted in Instruction 3 to Item 1.05, is the definition that applies to Item 1.05 of Form 8-K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:
[W]hen a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)].
The Author
Laura Anthony, Esq.
Founding Partner
Anthony, Linder & Cacomanolis
A Corporate and Securities Law Firm
Securities attorney Laura Anthony and her experienced legal team provide ongoing corporate counsel to small and mid-size private companies, public companies as well as private companies going public on the Nasdaq, NYSE American or over-the-counter market, such as the OTCQB and OTCQX. For more than two decades Anthony, Linder & Cacomanolis, PLLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker-dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions, securities token offerings and initial coin offerings, Regulation A/A+ offerings, as well as registration statements on Forms S-1, S-3, S-8 and merger registrations on Form S-4; compliance with the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers; applications to and compliance with the corporate governance requirements of securities exchanges including Nasdaq and NYSE American; general corporate; and general contract and business transactions. Ms. Anthony and her firm represent both target and acquiring companies in merger and acquisition transactions, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. The ALC legal team assists Pubcos in complying with the requirements of federal and state securities laws and SROs such as FINRA for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the small-cap and middle market’s top source for industry news, and the producer and host of LawCast.com, Corporate Finance in Focus. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.
Ms. Anthony is a member of various professional organizations including the Crowdfunding Professional Association (CfPA), Palm Beach County Bar Association, the Florida Bar Association, the American Bar Association and the ABA committees on Federal Securities Regulations and Private Equity and Venture Capital. She is a supporter of several community charities including the American Red Cross for Palm Beach and Martin Counties, Susan Komen Foundation, Opportunity, Inc., New Hope Charities, the Society of the Four Arts, the Norton Museum of Art, Palm Beach County Zoo Society, the Kravis Center for the Performing Arts and several others.
Ms. Anthony is an honors graduate from Florida State University College of Law and has been practicing law since 1993.
Contact Anthony, Linder & Cacomanolis, PLLC. Inquiries of a technical nature are always encouraged.
Follow Anthony, Linder & Cacomanolis, PLLC on Facebook, LinkedIn, YouTube, Pinterest and Twitter.
Anthony, Linder & Cacomanolis, PLLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.
© Anthony, Linder & Cacomanolis, PLLC
