The SEC's Division of Corporation Finance today published five new Compliance and Disclosure Interpretations, or "C&DIs," all concerning Item 1.05 of Exchange Act Form 8-K, Disclosure of Cybersecurity Incidents.
New C&DI 104B.05 describes a ransomware attack on a public company ended by a payment to the threat actor before any materiality evaluation of the incident. The C&DI holds that, despite the end of the attack, the company must still make a materiality determination for the event. The interpretation necessarily implies that a report on Form 8-K would be required in the event that the incident was found to be material on general securities law principles.
Question 104B.06 describes a material cybersecurity incident that is ended or remediated by a ransom payment before the filing of a report on 8-K. The interpretation holds that a current report is still required.
Insurance covering all or a substantial part of a ransomware payment may not mean that that an associated cybersecurity incident must have been immaterial in the view expressed in Question 104B.07.
In the SEC staff's perspective, the size of a ransomware payment is only one factor to consider in the materiality assessment of a cybersecurity incident. Thus, under Question 104B.08, a small ransomware payment would not categorically mean that the related incident was immaterial.
In Question 104B.09, a public company experiences a series of individually immaterial cybersecurity incidents. In the described circumstances, the company must determine whether any incidents were related and, if so, assess whether the related events were cumulatively material.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.