U.S. SEC Issues Updated Guidance on Cybersecurity Disclosure Under Item 1.05 of Form 8-K | Morrison Foerster

The new C&DIs address materiality determinations in instances where payments have been made to threat actors and remind companies that these decisions should take multiple factors into account. In brief, the C&DIs explain that:

  • If a company experiencing a ransomware attack makes a payment that causes the cyber attack to end before a materiality determination is made, the company must still assess the materiality of the incident.
  • If a company determines a ransomware attack is material and makes a payment that causes the attack to end before the company has reported the incident on Form 8?K, the company is not relieved of its requirement to report the incident.
  • If a company’s cyber insurance policy covers the cost of a ransomware payment, this fact alone would not support a conclusion that the incident was immaterial.
  • The amount demanded or paid in a ransomware payment should not be the sole factor in assessing the materiality of an incident.
  • If a company experiences a series of ransomware attacks over time that are individually immaterial, it should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material.

Source: U.S. SEC Issues Updated Guidance on Cybersecurity Disclosure Under Item 1.05 of Form 8-K | Morrison Foerster