to Item 1.05, is the definition that applies to Item 1.05 of Form 8-K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:[W]hen a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.41See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted).2See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]3See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)].4See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)].

ssation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted). [June 24, 2024]Question 104B.06Question:A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K It

cation to executives, including the CEO and CTO. The court rejected this claim, holding that, without more, “the existence of two misclassified incidents is an inadequate basis on which to plead deficient disclosure controls.” SolarWinds at *53. The court also dismissed as inadequately pled the SEC’s separate disclosure control claims based on each of the allegedly mischaracterized prior incidents. Id. The Narrowed Case Will Proceed The court’s order does not allow the SEC to amend its complaint to try to replead the part of the case that was dismissed. The case will proceed against SolarWinds and Brown only on the claim that the Security Statement on SolarWinds’ website was false and misleading.Footnotes1 In July 2023, the SEC adopted new cybersecurity rules. These require the disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management, strategy, and governance. See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896 (Aug. 4, 2023) (codified at 17 C.F.R. §§ 229.106, 232, 239, 240, 249). These new rules are not implicated in this case, which involves conduct predating the new rules’ effective date.

parties with whom the company is sharing such information may not be the types of persons covered by Regulation FD that would require public disclosure, such as sharing information with a person who owes a duty of trust or confidence to a public company (e.g., an attorney, investment banker, or accountant) or if the person with whom the information is being shared agrees to keep the disclosed information confidential (e.g., through a Regulation FD compliant confidentiality agreement).ConclusionThe SEC's release of additional C&DIs and Gerding's statement not only underscores the SEC's heightened focus on cybersecurity disclosures, but also highlights some of the issues and challenges companies face when encountering a cybersecurity incident in light of the new disclosure regime. Companies are strongly encouraged to consult with their counsel and advisors when facing a cybersecurity threat or incident.Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023).

yber event in what the agency deemed a timely fashion. This action drew a notable dissent from the two Republican SEC Commissioners, who wrote that “imposing a $10 million civil penalty …[for a] failure to notify the Commission of a single, de minimis incident is an overreaction” and that it amounted to “regulatory fly-specking around a firm’s response to an attack.” Regulated entities may rightly be confused by mixed messages from the SEC on incident reporting--which seem on the one hand to demand prompt reporting but also to admonish companies trying to do the right thing by putting investors on notice of an incident for which it may be difficult to assess materiality. Suffice it to say, cyber incident reporting is becoming more and more complex and fraught with risk. As the Cybersecurity and Infrastructure Security Agency continues with its new incident reporting rules, this complexity will only grow.Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC, 88 Fed. Reg. 51896, 51903–04 (Aug. 4, 2023) (“Final Rule”).Id. (“The final rules will require the registrant to ‘describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’”). Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents, SEC, Statement of Erik Gerding (May 21, 2024), https://www.sec.gov/news/statement/gerding-cybersecurity-incidents-05212024.Id.Id.Id.Id.Id. Final Rule at 51904. Forget about Collaborating—Stop, Pay-Up, and Listen: Statement on Intercontinental Exchange et al., SEC, Statement of Hester Pierce and Mark Uyeda (May 21, 2024), https://www.sec.gov/news/statement/peirce-uyeda-statement-intcntl-exchange-052224.[View source.]

occur before a company makes a materiality determination. The government notes that engagement with the FBI doesn’t in and of itself mean that an incident is material.The new guidance highlights the importance of having a process in place to review cybersecurity incidents at the time they occur, determine materiality and reporting obligations, and assess whether a notification delay request based on public safety or national security grounds should be requested before the four-day SEC public notification obligation deadline. It also underscores the importance of having relationships – directly or through counsel – with FBI contacts that can help. In our experience, the FBI’s cyber teams are often highly responsive and try to help victims with discretion.There is only a short window of time between making a materiality decision, requesting a notification delay, and public disclosure of a cybersecurity incident. Companies would be well served by preparing for these short deadlines now. 88 Fed. Reg. 51896 https://www.sec.gov/files/rules/final/2023/33-11216.pdf[View source.]