On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs. While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.

ITEM 1.05 OF FORM 8-K

• Completed ransomware attack does not absolve materiality determination: The cessation or apparent cessation of the incident prior to the materiality determination does not necessarily indicate that the incident was not material, and the registrant still needs to make a determination. If a registrant experiences a cybersecurity incident involving a ransomware attack and, prior to any materiality determination by the registrant, the registrant pays the ransom and the threat actor ends their disruption of operations and returns any exfiltrated data, the registrant must still make a determination regarding the incident’s materiality.

• Completed material cybersecurity event must still be disclosed: A cybersecurity incident that a registrant determines to have had a material impact or that is reasonably likely to result in a material impact on the registrant must still be disclosed on a Form 8-K within four business days after the registrant makes a materiality determination, even if the cessation or apparent cessation of the incident occurs prior to the filing of the Form 8-K.

• Insurance coverage: When determining whether a cybersecurity incident is material, reimbursement for a ransomware payment under a registrant’s insurance policy does not mean that it is immaterial. Registrants must consider all relevant facts and circumstances, including both quantitative and qualitative factors such as the near-term and long-term effects on a registrant’s operations, finances, brand perception, customer relationships, among other factors, when making a materiality determination.

• Amount of ransomware payment: The size of the ransomware payment, by itself, is not determinative of whether a cybersecurity incident is material and is only one fact relevant to a registrant’s materiality determination.

• Related immaterial cybersecurity events: If a registrant experiences a series of cybersecurity incidents that, individually, are determined to be immaterial, the registrant should consider whether those prior incidents might be related, and if so related, determine whether the cybersecurity incidents, when viewed collectively, are material. In particular, the C&DIs highlight that Item 106(a) of Regulation S-K includes in the definition of cybersecurity incident “a series of related unauthorized occurrences.”

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.