SEC Clarifies Cybersecurity Incident Reporting with New Guidelines
On June 24, 2024, the SEC’s Division of Corporation Finance issued five new Compliance and Disclosure Interpretations (C&DIs) to provide clarity on cybersecurity incident reporting under Item 1.05 of Form 8-K, particularly concerning ransomware payments. These updates follow recent guidance from Corporation Finance Director Erik Gerding on cybersecurity disclosures.
Key Aspects of Item 1.05 of Form 8-K
Adopted on July 26, 2023, Item 1.05 of Form 8-K mandates that public companies disclose material cybersecurity incidents within four days of determining the incident’s materiality. The disclosure must include details on the nature, scope, timing, and impact on the company’s financial condition and operations. Companies are required to promptly assess the materiality of incidents and amend disclosures if new material information emerges.
New C&DIs: Emphasis on Materiality Assessment
The new C&DIs stress that companies must evaluate the materiality of a ransomware attack, even if the incident is resolved through a payment before the materiality determination. The resolution of the incident via payment does not exempt companies from the obligation to assess and report its materiality. If a ransomware attack is deemed material, companies must report it under Item 1.05 of Form 8-K, regardless of whether a payment ends the incident before the filing deadline.
Additionally, having cyber insurance that covers the ransomware payment does not automatically make the incident immaterial. Companies should consider all relevant quantitative and qualitative factors, including the broader impact on operations, finances, and reputation. The size of the ransomware payment alone is not the sole determinant of materiality.
Evaluating Multiple Incidents
Companies must also assess whether multiple related cybersecurity incidents, which are individually immaterial, collectively constitute a material event. This ensures comprehensive reporting and compliance with SEC requirements.
Guidance from Director Erik Gerding
Director Gerding’s guidance emphasizes that only material cybersecurity incidents should be disclosed under Item 1.05. For voluntary disclosures of non-material incidents, companies should use a different Form 8-K item, such as Item 8.01, to prevent investor confusion.
Comprehensive Materiality Assessments
Companies should consider both quantitative impacts, such as financial losses, and qualitative impacts, such as reputational damage and customer trust, in their materiality assessments. This comprehensive approach aligns with the SEC’s emphasis on robust cybersecurity risk management and transparency in ESG-related disclosures.
Source: senecaesg.com
