Dear Mary,
I work for a public company that recently experienced a ransomware attack. Fortunately, we were able to restore our business operations quickly by obtaining a decryption key from the threat actor. Given that we managed to get back up and running so swiftly, do we still need to determine whether the incident is material and report it?
Sincerely,
– Concerned Executive
September 11, 2024
Dear Concerned Executive,
Yes, your company is still required to determine whether the incident is material, even if you managed to restore operations quickly. One of the primary objectives following a ransomware attack is to get the business back up and running safely and securely. Every day the business is not operational translates to financial loss, reputational harm, and other negative impacts.
Achieving this often requires significant effort, including assistance from third-party restoration firms, rebuilding systems from scratch, and sometimes even negotiating with the threat actor for a decryption key in exchange for a ransom payment. Once the business is operational again, it is considered a significant win.
However, returning to normal business operations does not absolve a company from the requirement to make materiality determinations. Even if the company manages to restore operations in record time, it must still assess the materiality of the cybersecurity incident and report the incident under Item 1.05 of Form 8-K within four business days after the company determines that it has experienced a material cybersecurity incident.
On a positive note, if operations are restored quickly, it may indicate that the financial impact was minimal, which is a factor to consider when determining materiality. The key point is that in assessing the materiality of the incident, a company should determine whether “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” regardless of the resolution of an incident, including if such resolution occurred because the company ultimately paid a ransom demand or otherwise obtained a decryptor.
It sounds like your company has some decisions to make. If you are uncertain whether the incident is material, you may want to consider using Item 8.01 to disclose the cybersecurity incident. Keep in mind, however, that if a company discloses a nonmaterial incident, or one for which it has not yet made a materiality determination, under Item 8.01 and then later determines that the incident is material, the company should file an Item 1.05 within four business days of such subsequent materiality determination. This later notice may reference the Item 8.01 initial notice but should still satisfy the disclosure requirements of an Item 1.05 filing.
Sincerely,
— Mary
‘Dear Mary,’ Troutman Pepper’s cybersecurity advice column brought to you by its Incidents + Investigations team. Through this column, “Mary” responds directly to her readers’ questions, covering all things related to incident response, data breach, and cybersecurity. Have a question about security incidents, forensic investigations, data breaches, or preventing/managing the legal and regulatory challenges that follow? Reach out to have your question answered. Of course, answers provided will be general in nature and should not be considered legal advice. If you need legal advice or representation, please contact one of our attorneys directly. ‘Dear Mary’ also can be found here on the firm’s website.