Earlier this summer, the Securities and Exchange Commission (SEC) published new guidance intended to help public companies comply with the rule it finalized last year requiring disclosure of material cybersecurity events to investors. Here is what public company risk professionals need to know about the new guidance.
Five hypothetical questions
In July 2023, the Securities and Exchange Commission (SEC) finalized its rule on public company cybersecurity risk management, governance, and incident reporting (opens a new window). Under the finalized rule, U.S. exchange-listed companies are required to disclose — within four days — any material cybersecurity incidents. This includes providing information about their nature, scope, timing, and material impact or likelihood of material impact.
Under the rule, public companies are also required to disclose, on an annual basis, information about their risk management strategies. Companies must report on their internal processes and governance structures for assessing, identifying, and managing material cybersecurity threats.
On June 24, 2024, the SEC provided additional guidance on companies’ specific responsibilities under the rule. The agency’s Division of Corporation Finance published five compliance and disclosure interpretations (C&DIs) (opens a new window), presented in a question-and-answer format, that clarify how companies are expected to apply the SEC’s disclosure rule in certain specific circumstances.
Question 1: What if an event ends before a materiality determination is made?
A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?
According to the SEC, yes, a registrant is required to make a materiality determination about such an incident. The SEC’s rationale: “The cessation or apparent cessation of the incident prior to the materiality determination” does not eliminate the requirement that a public company make such a determination.
Question 2: What if a material event is quickly resolved?
A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?
The SEC’s answer: Yes, a registrant must still disclose the incident. Although the incident has ended, it was determined to be material. A public company, therefore, is required to report the incident to its investors via its Form 8-K.
Question 3: What if payment to resolve a ransomware attack is covered by insurance?
A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?
Here, the SEC says that no, a public company should not assume that such an incident is not material. Even if a ransom payment is made — and an insurer reimburses a policyholder for such a payment — a company making a materiality determination must consider the long-term effects on its operations and finances. The SEC specifically notes that, among other factors, a registrant should consider any change in the availability or increase in cost of insurance, which could be a natural consequence of an incident.
Question 4: What if a ransom payment is small?
A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?
No, the incident may still be material. Although the immediate financial implications of an incident are one factor in determining materiality, other factors must also be considered, including any long-term effects on a company’s operations, brand and reputation, and customer relationships. Even if it required only a small ransom payment to resolve, an incident could still be material.
Question 5: Can individually immaterial events collectively be deemed material?
A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?
In short, it depends on the specific facts and circumstances surrounding the incidents in question. Among other factors, an affected company “should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material.” A series of small incidents could be deemed “related” if, for example, the are perpetrated by the same malicious actor or by multiple actors attempting to exploit the same vulnerability.
Interpreting the SEC’s interpretations
In total, the SEC’s C&DIs reflect an expectation by the agency that public companies complete materiality assessments after every cyber incident.
Ultimately, a materiality assessment may determine that a given event need not be disclosed to investors. But the SEC has made clear its view that, under the new rule, public companies must always give serious consideration to the question of materiality. This is required even if an event is resolved quickly and/or without significant expenditure or if a company has taken steps to remediate the event, such as preventing the disclosure of data.
The applicability of insurance similarly does not alleviate a company’s responsibility to conduct a materiality assessment and potentially disclose an event to investors. Additionally, the long-term cost implications of an event on insurance availability and cost must also be considered as part of a materiality assessment.
Although other factors, such as economic conditions and market-wide loss trends, can influence pricing and terms at renewal, a ransom payment by an insurer can sometimes fully erode a cyber insurance policy’s limit. This may prompt an insurer to raise pricing for a given insured as a condition of renewal, although a company may be able to avoid or minimize rate increases by presenting a strong story of cyber hygiene to underwriters.
Compliance best practices
Public companies should be mindful of the Supreme Court’s recent decision (opens a new window), in Loper Bright Enterprises v. Raimondo, which offers new grounds for businesses to contest administrative regulations that they could argue are beyond agencies’ authority. It is possible that public companies will use the Loper Bright decision as a basis to challenge the SEC cybersecurity rule. For now, however, companies are advised to take all necessary steps to comply with the rule and the SEC’s latest guidance.
Materiality assessments should be conducted with the support of outside securities counsel. While others, such as chief technology officers and chief information security officers, may be involved in completing an assessment, it is vital that the exercise be led by a party that understands the SEC rule and public companies’ disclosure responsibilities. Corporate boards should also take a hands-on role in managing cybersecurity threats more broadly.
Public companies should work with their insurance brokers and other advisors to ensure all their cyber risk management processes are up to date. Incident response planning is especially important, to ensure preparedness ahead of a potential event.
To be most useful during a crisis event, public companies’ written incident response plans should:
Clearly articulate all steps businesses must take to identify contain, respond to, and continue operations in the event of an incident, along with individual team members’ roles and responsibilities.
Be easily accessible—for example, printed, disseminated, and stored in multiple locations.
Be tested and updated at least once year. Tabletop testing can help identify potential weak spots and ensure all parties are on the same page, including about compliance timelines before an event occurs. To ensure timely reporting, materiality assessments should be incorporated into incident response plans and companies’ tabletop exercises.
For more information, please visit our Cyber & Technology page here (opens a new window). Alternatively contact us at: cyber@lockton.com (opens a new window)