This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

What's Trending

Tracking trends critical to life sciences and technology companies.

| 1 minute read

SEC Releases New 8-K CDIs for Item 1.05 - Cybersecurity Incidents

On June 24, 2024, the SEC released five new CDIs on Material Cybersecurity Incidents. Please see a high-level summary below:

Question 104B.05 — After discovering a cybersecurity incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident? 

Yes — The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.

Question 104B.06 — The registrant makes a ransomware payment before the Item 1.05 filing deadline, and the threat actor that caused the incident ends the disruption of operations or returns the data. Does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K? 

Yes — The subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident. 

Question 104B.07 — Insurance reimburses the registrant for all or a substantial portion of a ransomware payment to a threat actor. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?

No — When assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors.” Consideration may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents.

Question 104B.08 — Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material?

No — Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05.

Question 104B.09 — Series of cybersecurity incidents, each individually immaterial, involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. Is disclosure under Item 1.05 of Form 8-K required? 

Maybe — Disclosure turns on whether they can be deemed to be part of a related incident.