SEC Advice on Ransomware Disclosure
The Securities and Exchange Commission has published fresh advice about when companies need to disclose a ransomware incident to investors, warning that companies will need to perform materiality assessments and be prepared to disclose the attack even if the attack is small and the company returns to normal operations quickly.
The agency released five compliance and disclosure interpretations on cybersecurity incidents earlier this week, sketching out hypothetical scenarios that companies might encounter during a ransomware attack. Each C&DI item essentially shot down any hopes a company might have that it could dodge the work of a materiality analysis just because the attack was small or paid off the attackers to get your systems back.
Compliance and disclosure interpretations don’t carry the full imprimatur of SEC guidance; they merely, the agency says, “reflect the views of the staff” of the Division of Corporation Finance, and “they are not binding due to their highly informal nature.”
Still, let’s not kid ourselves here. Companies are never thrilled to disclose a cybersecurity incident to the public, and will look for any rationale they can find to justify keeping quiet. This latest guidance advice from the SEC is a clear sign that the agency frowns upon those shortcuts. Maybe you won’t need to disclose that latest embarrassing attack, but you’re going to need to do the work to reach that judgment soundly.
This all stems from SEC rules adopted last year requiring companies to disclose “material cybersecurity incidents” within four days of deciding that an attack is indeed material. Companies need to evaluate whether an incident is material along both quantitative and qualitative dimensions. It’s entirely possible that an incident might be qualitatively material (that is, worthy of disclosure) even while the damage is quantitatively immaterial.
That can lead to some mighty confusing materiality analysis. Hence the C&DI advice published this week. Let’s consider a few.
Ransomware Disclosure Examples
Say your company suffers a ransomware attack that disrupts operations or leads to exfiltration of data. After you discover the attack, but before you determine whether the incident is material, you pay the ransom and the attackers give back your system control and stolen data. Do you still need to make a materiality assessment even though everything is back to normal?
Yes, you do, the SEC says. “The registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident,” according to the C&DI. (Also, applause to the SEC for mentioning “apparent” cessation — because if you really believe ransomware attackers will leave you alone after you pay them, you’re a dolt.)
Next scenario: your company suffers a ransomware attack and pays the ransom. Then your cyber-insurance carrier reimburses you for the costs of the attack, essentially making your company whole. Does that mean the incident is necessarily not material?
No it doesn’t, the SEC says. Its cyber disclosure rule expressly says companies must consider qualitative factors as part of its materiality analysis, such as longer-term effects on operations, finances, brand perception, customer relationships, and so on.”
And one more: your company suffers a string of ransomware attacks over time, by either one or multiple attackers. You determine that each incident is, unto itself, immaterial. Might the company still need to disclose them because they’re happening so often?
Quite possibly, the SEC says. For example, if a single attacker is hitting you multiple times, that could suggest that the attacker has some larger agenda against your company. Or if multiple attackers all exploit the same IT security weakness in your systems, that suggests that you have a poor IT control environment. Either issue could be qualitatively material to investors.
You can read all five C&DI items on the Division of Corporation Finance website. Look for the heading, “Section 104B. Item 1.05 Material Cybersecurity Incidents” and then skim down to the five items added on June 24, 2024. (And since I know the Corp Fin folks read these pages — really, you can’t include a listing of updated C&DIs by date?)
Appreciate the Big Picture Here
The big picture is simply that the materiality of a cyber incident does not depend solely on its financial costs. Quite often, the qualitative factors of a breach will say more about the company’s operational and risk management capabilities — but assessing those factors isn’t easy, and indeed might be more difficult than the quantitative stuff.
To assess qualitative materiality, you need to ask both how the attack happened, and what its long-term consequences might be. That will take deft coordination among the IT security, operations, compliance, and finance teams.
For example, when assessing how the attack happened, you’d likely need to re-examine several important controls:
- Vulnerability scanning, to probe your software on a regular basis (if not constantly) and identify potential weaknesses or known vulnerabilities.
- Intrusion detection, to detect an unauthorized user who’s either trying to penetrate your IT systems or has already done so.
- Patch management, to implement software patches promptly when your cloud-based vendors send along a patch to rectify a weakness they’ve found.
- Forensic capabilities, to dissect how an incident has happened and what damage has been done.
- An incident response plan, to put those forensic capabilities to use when an incident happens and to introduce compensating controls as necessary while you stop the damage.
Well, has your IT security team implemented and documented those controls? Has internal audit tested them for effectiveness? Has the compliance team reviewed them so you understand how to factor them into a materiality analysis?
As for long-term consequences, you might need to talk closely with operations or public affairs teams to understand whether your cyber incident might sour important business relationships or leave consumers with a poor perception of your company. Then talk with financial planning teams to figure out if you can put a number on those factors.
My point — and the point suggested by the SEC’s latest advice — is that this work cannot be ignored simply because the immediate dollar damage of a ransomware attack is small. Financial materiality is not the only variable in the equation here. Companies should accept that reality now, before the SEC reminds you of it later in an enforcement action.