TheCorporateCounsel.net

In the wake of some welcome news for the cybersecurity community late last week came a widespread and nearly economy-stopping tech outage on Friday morning that impacted many industries, including airlines, banks & hospitals, and government entities, like school districts & courthouses. While many whose lives and jobs were impacted by the outage are likely most concerned that a software update at one company could put so many businesses temporarily out of commission, we securities lawyers are thinking about what disclosures may need to be made — and what lawsuits may follow.

While CrowdStrike announced that the occurrence wasn’t “a security incident or cyberattack,” impacted companies should remember that the definitions of “cybersecurity incident” and “information systems” for purposes Item 1.05 of Form 8-K are very broad.

Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.

The adopting release also noted that the word “unauthorized” is meant to be broadly interpreted:

One commenter sought clarification of whether the definition encompasses accidental incidents, such as chance technology outages, that do not involve a malicious actor, while another commenter advocated broadening the definition to any incident materially disrupting operations, regardless of what precipitated it. …

We are also retaining “unauthorized” in the incident definition as proposed. In general, we believe that an accidental occurrence is an unauthorized occurrence. Therefore, we note that an accidental occurrence may be a cybersecurity incident under our definition, even if there is no confirmed malicious activity. For example, if a company’s customer data are accidentally exposed, allowing unauthorized access to such data, the data breach would constitute a “cybersecurity incident” that would necessitate a materiality analysis to determine whether disclosure under Item 1.05 of Form 8-K is required.

The SEC has noted on its homepage that it is monitoring for market-related impacts of this “widespread IT disruption.” Maybe at some point the Staff will also clarify how to apply the “cybersecurity incident” definition to outages like this. In the meantime, companies will need to gather facts internally and assess with counsel whether their situation meets the definition of “cybersecurity incident” with the guidance we do have — including the adopting release and CDIs.

While it appears here, based on public reporting to date, that no data has been exposed nor systems accessed, this broad interpretation of “unauthorized” to include “accidental” has people scratching their heads, wondering whether including this type of software glitch in the universe of 8-K triggering events renders the “security” aspect of the rules meaningless. That said, some impacted companies clearly had issues with the “availability” of their information systems. If companies determine that a cybersecurity incident has occurred, they will need to assess whether it is material.

– Meredith Ervine