On June 24, the Securities and Exchange Commission (SEC) released five additional Compliance and Disclosure Interpretations for Item 1.05 of Form 8-K (Material Cybersecurity Incidents).  These interpretations provide additional guidance as to whether and when materiality determinations should be made and when related reporting obligations arise. 

In particular, the interpretations are intended to provide additional guidance in the following scenarios:

  1. When a registrant makes a ransomware payment, the threat actor returns data and stops disruption all before the registrant makes a materiality determination.
  2. When a registrant makes a ransomware payment, the threat actor returns data and stops disruption, after the registrant makes a materiality determination and before it reports such an incident.
  3. When ransomware payment is fully covered by insurance.
  4. Whether the small size of ransomware payment determines lack of materiality in itself.
  5. Whether a series of immaterial cybersecurity incidents is reportable.

If you have any questions about determining and reporting material cybersecurity incidents under Item 1.05, please email the author directly or, if applicable, contact your primary Bass, Berry & Sims relationship attorney.