TheCorporateCounsel.net

Monthly Archives: June 2024

June 28, 2024

Taylor Swift, the Rolling Stones, the SEC and the Courts

If you tuned into our webcast “Proxy Season Post-Mortem: The Latest Compensation Disclosures” on CompensationStandards.com last week, you would have heard me speculate that when it comes to SEC rulemaking, I have to imagine that SEC Chair Gary Gensler might be singing the Rolling Stones song “(I Cant’t Get No) Satisfaction” these days, because he tries, and he tries, but the rules that the SEC adopts keep getting struck down or challenged in court. After the SEC’s experience in the courts this week, I can only imagine that the SEC Chair, who gave a speech earlier this month that was packed full of Easter eggs for Swifties like myself, is now singing the Taylor Swift song “Shake it Off,” because the haters gonna hate, hate, hate, hate, hate when it comes to the courts’ reaction to the SEC’s administrative process.

On Wednesday, the Fifth Circuit Court of Appeals invalidated a major part of the SEC’s proxy advisory firms rules that were adopted in 2022. In National Association of Manufacturers v. SEC, the Fifth Circuit held that the SEC’s explanation of its 2022 decision to rescind the 2020 amendments to the proxy rules relating to the proxy voting advice provided by proxy advisory firms (such as ISS and Glass Lewis) was arbitrary and capricious and therefore unlawful. The Court reversed the District Court’s decision and vacated the 2022 SEC rescission action to the extent it rescinded the 2020 rule’s notice-and-awareness conditions, and remanded the matter back to the SEC. The opinion notes:

By rescinding the 2020 Rule, the SEC acted arbitrarily and capriciously in two ways. First, the agency failed adequately to explain its decision to disregard its prior factual finding that the notice-and-awareness conditions posed little or no risk to the timeliness and independence of proxy voting advice. Second, the agency failed to provide a reasonable explanation why these risks were so significant under the 2020 Rule as to justify its rescission. These shortcomings require vacatur of the 2022 Rescission, but only to the extent it rescinded the notice-and-awareness conditions.

The term “notice-and-awareness conditions” refers to the conditions that must be satisfied for the proxy advisory firms to rely on exemptions from the proxy solicitation rules. The court describes them as follows:

As with the 2019 Proposed Rule, this goal was to be achieved through conditions on the availability of exemptions. The 2020 Rule contained two such conditions, which together will be referred to as the “notice-and awareness conditions.” The first (the notice condition) required proxy firms to make their proxy advice available to registrants “at or prior to the time when such advice is disseminated to” proxy firms’ clients—a departure from the 2019 Proposed Rule’s requirement that the advice be disseminated beforehand. Id. at 55,154 (emphasis added). The second (the awareness condition) required proxy firms to provide “clients with a mechanism by which they can reasonably be expected to become aware of any written statements regarding . . . proxy voting advice by registrants who are the subject of such advice, in a timely manner before the security holder meeting.” Id.; see also 17 C.F.R. § 240.14a-2(b)(9)(ii) (2020) (rescinded codification of conditions). In adopting the 2020 Rule, the SEC stated that the notice-and-awareness conditions “will substantially address, if not eliminate altogether,” the risks to timeliness and independence associated with the 2019 Proposed Rule.

As this Bloomberg Law article notes, an SEC spokesperson indicated that the SEC is reviewing the decision and determining the next steps.

If the Fifth Circuit decision wasn’t bad enough, yesterday the Supreme Court issued its decision in SEC v. Jarkesy, a long-running challenge to the SEC’s use of administrative proceedings in fraud actions. In a 6-3 decision, the Supreme Court held that the SEC unlawfully used its administrative proceedings involving administrative law judges for cases alleging securities fraud. Chief Justice Roberts, writing for the majority, noted in the opinion:

This case poses a straightforward question: whether the Seventh Amendment entitles a defendant to a jury trial when the SEC seeks civil penalties against him for securi ties fraud. Our analysis of this question follows the ap proach set forth in Granfinanciera and Tull v. United States, 481 U. S. 412 (1987). The threshold issue is whether this action implicates the Seventh Amendment. It does. The SEC’s antifraud provisions replicate common law fraud, and it is well established that common law claims must be heard by a jury.

Since this case does implicate the Seventh Amendment, we next consider whether the “public rights” exception to Article III jurisdiction applies. This exception has been held to permit Congress to assign certain matters to agencies for adjudication even though such proceedings would not afford the right to a jury trial. The exception does not apply here because the present action does not fall within any of the distinctive areas involving governmental prerogatives where the Court has concluded that a matter may be resolved outside of an Article III court, without a jury. The Seventh Amendment therefore applies and a jury is re quired. Since the answer to the jury trial question resolves this case, we do not reach the nondelegation or removal issues.

This Politico article about the decision notes:

Justice Sonia Sotomayor wrote a dissenting opinion and read large portions of it from the bench, which is typically a sign of more profound disagreement.

Sotomayor called the majority’s ruling “earthshattering” and said claims that the decision is limited to the SEC were “incredible” and “should fool no one.”

“The constitutionality of hundreds of statutes may now be in peril, and dozens of agencies could be stripped of their power to enforce laws enacted by Congress,” Sotomayor warned in her opinion, joined by Justices Elena Kagan and Ketanji Brown Jackson.

As a person who got his start at the SEC by working as a law clerk in the SEC’s Office of Administrative Law Judges, I got a front row seat to see how the SEC’s administrative proceedings work. I have been following the cases challenging the SEC’s administrative proceedings closely over the years, and I can certainly say that this Supreme Court outcome is a big one.

– Dave Lynn

June 28, 2024

Key SEC Website Functions Down Later Today for Scheduled Maintenance

Yesterday, the SEC posted on notice on www.sec.gov indicating that some website functions will be unavailable this evening due to scheduled maintenance taking place from 5:00 pm Eastern Time tonight to 5:00 am Eastern Time tomorrow morning. Note that access to EDGAR will remain available, but you will not be able to use the webforms for, among other things, “Corporation Finance Request Form for Interpretive Advice and Other Assistance” and “Requests for No-Action, Interpretive, Exemptive, and Waiver Letters.” If you were planning to submit a comment on a rulemaking this evening, you should do so only via email to rule-comments@sec.gov and abide by the following guidelines:

– The subject line of your message must include the File Number for the rule. This is the number that begins “S7-” or “SR-”.

– If you attach a document, indicate the format or software used (e.g., PDF, Word Perfect, MS Word, ASCII text, etc.) to create the attachment. Please note that we now accept comment letters in PDF format.

– DO NOT submit attachments as HTML, GIF, TIFF, PIF, ZIP, or EXE.

If you are furiously working on a no-action letter submission or request for interpretive advice from Corp Fin that you were planning to submit tonight, you have my permission to take the evening off and enjoy yourself. The web portal will be ready for your tomorrow morning.

– Dave Lynn

June 28, 2024

Looking Forward to Our Conferences: Game On!

If you have been coming to our Proxy Disclosure & Executive Compensation Conferences for a long time, particularly in the pre-pandemic days of in-person programming, you will recall that we tried to lighten things up during the two days of conferences with some “entertainment” in the afternoon. For this entertainment, I was always joined by my favorite conference companion, and we would offer up an in-person version the “Dave & Marty Show,” which, as highlighted in this “best of” reel, resulted in two puppet shows, Marty’s iconic “Why Me?” PEP talk, an obscure talk centered around the SNL “More Cowbell” sketch, and a few iterations of “Which is Better?” and “The Top 10 Things that Really Tick Me Off.” Ah, the good times that we had!

As Meredith mentioned a couple weeks ago, we are going to mix things up at the 2024 Proxy Disclosure Conference by having an SEC All-Star Family Feud, with me serving as the host! I have not decided yet whether I will be hosting in the style of Richard Dawson or Steve Harvey, or perhaps a combination of the two. From now until the October Conferences, we will periodically share short quick polls. Please indulge us and provide your responses to each anonymous poll. We will gather and rank the responses by popularity and reveal them at the Proxy Disclosure Conference.

At the risk of sounding like a broken Taylor Swift record (does anyone know what this means anymore?), I think now is the time for you to sign up for our October Conferences, either for the in-person program in San Francisco or for the virtual option. Go to our online store or give us call us at 800-737-1271. Act soon to take advantage of our early bird rate while you still can!

– Dave Lynn

June 27, 2024

Everybody in the Pool: SRCs Now Required to Report Material Cybersecurity Incidents

Readers of this blog that are of a certain vintage will no doubt recall the standout network television action-comedy series “The A-Team,” which features a ragtag group of heroes who manage to get involved in all sorts of shenanigans. As I was writing blog entries this week, Col. John “Hannibal” Smith’s recurring tagline came to mind: “I love it when a plan comes together.” The tagline was particularly amusing because it was always uttered when there was no plan whatsoever and everything appeared to be going awry for the A-Team.

Hannibal’s tagline came to mind this week because I did not set out to write multiple blog entries about current reporting of material cybersecurity incidents pursuant to Item 1.05 of Form 8-K, but somehow that turned out to be the recurring theme for the week (besides my take on our upcoming conferences)!

Today I wanted to note that smaller reporting companies became subject to the Item 1.05 reporting requirements effective on June 15, 2024. While all domestic operating companies that did not qualify as smaller reporting companies (including large accelerated filers, accelerated filers and non-accelerated filers) and foreign private issuers that did not qualify as an smaller reporting companies were required to comply with the Item 1.05 reporting requirements back in December 2023, smaller reporting companies were given an additional six months to get ready for the disclosure requirements.

For all of the smaller reporting companies out there, note that Item 1.05 of Form 8-K requires companies to: (i) disclose any cybersecurity incident they determine to be material; (ii) describe the material aspects of the nature, scope, and timing of the incident; and (iii) disclose the material impact or reasonably likely material impact of the incident on the company, including the company’s financial condition and results of operations. Companies must determine the materiality of an incident without unreasonable delay following discovery. If the company determines that the incident is material, it must file an Item 1.05 Form 8-K report within four business days of that determination. Companies are also required to file an amendment to its Form 8-K filing where certain required information was not available at the time of the initial filing. Amendments must be filed within four business days (i) of determining such information or (ii) after such information becomes available.

I am pretty sure all of The A-Team fans out there saw this next line coming: In the immortal words of Mr. T, who played Sergeant Bosco “B. A.” Baracus on The A-Team, I pity the fool that fails to file an Item 1.05 Form 8-K on time.

– Dave Lynn

June 27, 2024

A Summer Tribute to My Friend

I wanted to take a moment this week to acknowledge that this month marks four years since my dear friend Marty Dunn passed away. Members will no doubt recall Marty’s many contributions to our publications and programming, as well as his almost twenty years of distinguished service at the SEC. Marty and I had an absolute blast bringing you all of the latest developments in the world of securities law and corporate governance, and I feel that his legacy is most certainly an enduring one.

I am writing to you from the beach this week, and my location prompted a recollection of how much Marty enjoyed his annual summer trip to the Outer Banks in North Carolina with his family and friends. As long as I knew Marty, he would carve out a couple of weeks in the summer for a beach vacation that was, by all accounts, filled with lots of fun, music and love. I always admired how Marty prioritized this time with his family and friends, really trying to unplug from the demands of work so he could focus on having a memorable vacation. I can distinctly recall being at the SEC and engaging in extensive discussions about whether we should bother Marty at the beach because some crisis had emerged back in Washington, and most often the conclusion was to try to deal with the situation ourselves and let Marty enjoy his vacation. To me, that was a mark of what an inspiring leader he was, because he trusted us to deal with things while he was out of the office, and we admired him so much that we ourselves prioritized his vacation time with family and friends.

In more recent years, Marty had acquired his own place in the Outer Banks and treasured any time that he could get away and enjoy it, including those same two weeks in the middle of the summer. It makes me sad to think about how much he looked forward to spending more time there in the later stages of his career, because it was truly his “happy place.” His memory certainly encourages me try to enjoy my time at the beach, which I am obviously not very good at, as evidenced by the fact that I have been writing blog entries all week about current reporting of material cybersecurity incidents under Item 1.05 of Form 8-K.

If, like me, you sometimes want to remember Marty and take in some of his entertaining words of wisdom, I encourage you to check out these tribute podcasts:

The Dave & Marty Show – The Fond Farewell Episodes, Part 1
The Dave & Marty Show – The Fond Farewell Episodes, Part 2
The Dave & Marty Show – The Fond Farewell Episodes, Part 3
Deep Dive with Dave – A Tribute to Marty Dunn

Most importantly, if you are having a drink by the pool or at the beach this summer, please pour one out for Marty!

– Dave Lynn

June 27, 2024

Looking Forward to Our Upcoming Conferences: Tackling Climate Disclosure

This week I am telling you about a number of the panels that I will join at the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” with the hope that you will get a sense of the range of topics that will be addressed at the Conferences.

On Monday, October 14th at the Proxy Disclosure Conference, I will join Ning Chiu, J.T. Ho, Rose Pierson and Beth Sasfai on a panel titled “Climate Disclosures: Your New Action Items.” I look forward to speaking with this esteemed group about the status of the SEC’s rules, the interpretive issues that are coming up under the SEC’s rules, assessing materiality, getting the control environment right and navigating multiple reporting regimes. This will undoubtedly be a lively discussion of a topic that is very much on everyone’s mind as we consider how to comply with the SEC’s climate disclosure requirements.

As I have pointed out, now is a great time to sign up for our October conferences, whether for the live program or the virtual option. The process is easy, just check out our online store or pick up the phone and call us at 800-737-1271. Take advantage of our early bird rate while you still can!

– Dave Lynn

June 26, 2024

Form 8-Ks for Cybersecurity Incidents: The SEC Staff is Watching

If you have been in this game for a while, you know that there are some “truisms” when it comes to the Disclosure Review Program administered by the SEC’s Division of Corporation Finance. One of those truisms is that, in general, the Corp Fin Staff does not typically monitor or review Form 8-K filings in real time, with the exception of Section 4 Form 8-Ks, which are monitored and reviewed in real time by the accounting Staff. Instead, the Staff will typically review Form 8-K filings during the course of reviewing a company’s periodic reports, with that review usually conducted on a periodic basis after the company files its Form 10-K. Based on recent experience, it appears that the Staff has modified its procedures so that we are now seeing comments on Item 1.05 Form 8-Ks in real time.

It is perhaps no surprise that the Staff is reviewing and commenting on Item 1.05 Form 8-K filings, given all of the recent focus on current disclosure of material cybersecurity incidents. As Meredith noted back in May and as John noted last week, Corp Fin Director Erik Gerding has issued statements concerning the filing obligation under Item 1.05 and selective disclosure considerations regarding material cybersecurity incidents. As I noted yesterday, the Staff has updated its Exchange Act Form 8-K Compliance and Disclosure Interpretations to address when companies are required to disclose information on a current basis under Item 1.05 and how the materiality determination is made when assessing that disclosure obligation.

The Staff’s comments on Item 1.05 Form 8-Ks appear to be focused on why a company filed under Item 1.05 of Form 8-K, and in particular whether the company considered the reported cybersecurity incident to be material. The Staff’s comments have focused on situations where companies indicate in their Item 1.05 Form 8-K disclosure that the company does not believe that the incident has had a material impact on the company’s operations or financial condition, and/or the incident is not anticipated to have a material impact on the company’s financial condition and results of operations going forward. Given these sorts of statements, it appears that the Staff is trying to understand the rationale for filing the Form 8-K under Item 1.05, which requires current disclosure of “a cybersecurity incident that is determined by the registrant to be material.”

The Staff’s recent comments on these filings highlights the need for companies to conduct a carefully considered analysis of the materiality of a cybersecurity incident before deciding to report that incident in an Item 1.05 Form 8-K, and to have a thoroughly documented rationale for the materiality determination at the ready in the event that the Staff raises a comment on the Form 8-K filing.

– Dave Lynn

June 26, 2024

May-June 2024 Issue of The Corporate Executive

The latest issue of The Corporate Executive has been sent to the printer. It is also available now online to members of TheCorporateCounsel.net who subscribe to the electronic format. This issue tackles two timely topics, dealing with “grounded” moonshot awards and addressing the many issues arising with the use of corporate aircraft by adopting a comprehensive policy. On the topic of “grounded” moonshot awards, the issue notes:

We delve into the dynamics of moonshot awards again, and address the steps required when dealing with a grounded moonshot award. The first step is acceptance on the part of all parties involved that the goals and strategic vision associated with the moonshot award are not going to be achieved, and an understanding that the outstanding award is likely doing more harm than good. The second step is carefully considering the options, which could include modification or replacement, cancellation, forfeiture or maintaining the status quo. The third step is getting the governance right with respect to dealing with the grounded moonshot award. The fourth step is being transparent about moonshot awards and any subsequent changes to such awards, because it is important for a wide range of stakeholders to understand the rationale. Finally, it is important to consider the potential litigation risk when granting or subsequently changing moonshot awards.

On the topic of executive use of corporate aircraft, the May-June 2024 issue of The Corporate Executive notes that, with all of the focus on aircraft use right now by the SEC, the media and the general public, now is a good time to consider adopting a policy specifically addressing the use of corporate owned or leased aircraft. In the issue, we provide a form of policy that companies can adapt to their own circumstances. A key consideration when formulating an aircraft policy is the extent to which use of corporate aircraft is a very public endeavor, as noted in this excerpt:

When formulating a policy governing the use of corporate aircraft, companies should carefully consider that there is radical transparency around the flights that private aircraft take. As evidenced by reports of individuals tracking the private aircraft use of Taylor Swift and Elon Musk, and periodic coverage in business publications of where company aircraft is flying to and from, tracking the use of private aircraft is relatively easy based on publicly available information. Each aircraft is assigned a tail number that can be used to track the movement of the aircraft on websites such as FlightAware.com. Aircraft registration is generally considered to be public information in the U.S., which makes it relatively easy to find and track U.S.-registered aircraft by their unique tail number. It is possible for owners of aircraft to avoid this transparency by registering the aircraft in certain jurisdictions outside of the U.S. (e.g., Aruba, Bermuda, Cayman Islands, Isle of Man) or by disabling aircraft tracking for privacy purposes. European data privacy rules also prohibit the tracking of certain aircraft for privacy purposes.

Transparency around flight information can raise a number of considerations for companies using private aircraft travel for both business and personal purposes. For example, there are security considerations whenever an executive is traveling for either business or personal purposes, so the ability of the public to track a corporation’s aircraft can heighten security concerns when individuals or groups are able to determine that the executive is flying to a particular location. Further, it is conceivable that persons might use flight tracking information to try to gather business intelligence or information to inform trading decisions by identifying locations where the company aircraft is frequently flying to or from during specific periods in time. In the context of private use of corporate aircraft, back in 2011 the Wall Street Journal used tail numbers and information derived from Freedom of Information Act (“FOIA”) requests to create a database that tracked the use of corporate aircraft by particular companies, analyze patterns to identify where the planes were flying to and whether those locations had connections to the CEO or other executive officers (e.g., locations of homes, vacation destinations), and identify the potential costs associated with that travel based on industry estimates.

In formulating a policy concerning personal use of aircraft, the company should consider how such personal use will be perceived by investors and the public more broadly when identified in SEC filings and in potential news stories focused on executive perquisites, given the significant transparency surrounding the use of corporate aircraft and the fact that it is a frequent area of focus for the business media.

Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the practical information that we provide in The Corporate Executive newsletter.

– Dave Lynn

June 26, 2024

Looking Forward to Our Upcoming Conferences: The SEC All-Stars (Take Two)

This week I am highlighting the panels that I will be joining at the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” to give you a flavor for all of the interesting topics that we will be covering during an action-packed two days of in-person programming. On Tuesday, October 15, 2024, I will be on stage with yet another group of talented SEC All-Stars for a deep dive into executive compensation topics during the panel “The SEC All-Stars: Executive Pay Nuggets.” As I mentioned last year, this is my favorite panel at the Conferences solely by virtue of its title, given my long-standing relationship with a certain food item that gave me a life-long nickname which I can’t seem to shake.

I am very fortunate to be speaking with Sonia Barro, Mark Borges, Brian Breheny and Ron Mueller for this panel, and our plan is to cover pay versus performance disclosure, equity plan proposals, human capital disclosure, trends with executive compensation metrics and the latest developments with Rule 10b5-1 plans. This is a panel at the “21st Annual Executive Compensation Conference” that you do not want to miss!

You know the drill by now – sign up today by using our online store or by calling us at 800-737-1271. Keep in mind that our early bird registration deadline has been extended to July 26th, so be sure to take advantage of the in-person Single Attendee Price of $1,750, which is discounted from the regular $2,195 rate. If you can’t be in San Francisco for the live show, there is also a virtual option.

– Dave Lynn

June 25, 2024

New Cybersecurity Disclosure Guidance: Corp Fin Issues Five CDIs

The SEC’s cybersecurity disclosure requirements remain in the spotlight, as yesterday the Staff published its latest guidance interpreting Item 1.05 of Form 8-K. The Staff updated the Exchange Act Form 8-K Compliance and Disclosure Interpretations with five new CDIs, adding to the interpretations of Item 1.05 that were published back in December 2023. The new CDIs are as follows:

Question 104B.05

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?

Answer: Yes. Item 1.05 of Form 8-K requires a registrant that experiences a cybersecurity incident to determine whether that incident is material. The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.

Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted). [June 24, 2024]

Question 104B.06

Question: A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?

Answer: Yes. Because the registrant experienced a cybersecurity incident that it determined to be material, the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. [June 24, 2024]

Question 104B.07

Question: A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and is reiterated in Question 104B.05. Further, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]. Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. [June 24, 2024]

Question 104B.08

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and reiterated in Question 104B.05. Under that standard, the size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination regarding the cybersecurity incident. Further, in the adopting release for Item 1.05 of Form 8-K, the Commission declined “to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.”

Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05. As the Commission further stated in Item 1.05’s adopting release:

“[T]he material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.”

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)]. [June 24, 2024]

Question 104B.09

Question: A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?

Answer: Disclosure of those cybersecurity incidents may, depending on the particular facts and circumstances, be required pursuant to Item 1.05 of Form 8-K. In these circumstances, the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” under Item 106(a) of Regulation S-K (which, as noted in Instruction 3 to Item 1.05, is the definition that applies to Item 1.05 of Form 8-K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:

“[W]hen a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.”

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)]. [June 24, 2024]

The new round of guidance no doubt reflects the challenges that companies are facing in figuring out how to comply with the new disclosure requirements in new Item 1.05 of Form 8-K and the Staff’s observations of disclosure practices to date. Given how difficult this disclosure item has turned out to be, I suspect that this is not the last time we will hear from the Corp Fin Staff on the topic.

– Dave Lynn