💰

Debevoise & Plimpton LLP Security Incident

24/06/2024 455 days ago Resolved

Incident Overview

Situation Description

The SEC released new guidance on material cybersecurity incident disclosure under Item 1.05 of Form 8-K, focusing on ransomware events.

Event Types

Ransomware Regulatory Enforcement

Industry Sector

nan

Geographic Scope

nan

Response Actions

Fulfilled Formal Breach Disclosure Obligations Revised Incident Response Plan

Impact Analysis

Event Types (2 identified)

Ransomware Regulatory Enforcement

Financial Impact

$0 USD

Records Affected

Data Types Compromised

N/A

Primary Impacts

Reputational Damage Legal/Regulatory Penalties

Key Decisions Made

A completed ransomware attack does not automatically absolve a registrant from making a materiality determination.; Material cybersecurity events must still be disclosed on a Form 8-K within four business days of the materiality determination, even if the incident has ceased.; Insurance coverage for a ransomware payment does not render a cybersecurity incident immaterial.

Technical Analysis

Attack Method

Unknown

Additional Information

Capabilities Professionals Experience Insights & Publications News Careers About Us Pro Bono Alumni Locations Contact Us Search 2025 Debevoise & Plimpton LLP Back to Top SEC Releases New Guidance on Material Cybersecurity Incident Disclosure 27 June 2024 View the Debrief Share On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the SEC) released five new Compliance & Disclosure Interpretations (C&DIs) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs. While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events. ITEM 1.05 OF FORM 8-K Completed ransomware attack does not absolve materiality determination : The cessation or apparent cessation of the incident prior to the materiality determination does not necessarily indicate that the incident was not material, and the registrant still needs to make a determination. If a registrant experiences a cybersecurity incident involving a ransomware attack and, prior to any materiality determination by the registrant, the registrant pays the ransom and the threat actor ends their disruption of operations and returns any exfiltrated data, the registrant must still make a determination regarding the incidents materiality. Completed material cybersecurity event must still be disclosed : A cybersecurity incident that a registrant determines to have had a material impact or that is reasonably likely to result in a material impact on the registrant must still be disclosed on a Form 8-K within four business days after the registrant makes a materiality determination, even if the cessation or apparent cessation of the incident occurs prior to the filing of the Form 8-K. Insurance coverage : When determining whether a cybersecurity incident...

... (truncated for display)

Quick Facts

Company:: Debevoise & Plimpton LLP
Date:: 24/06/2024
Status:: Resolved
Decision Maker:: the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the SEC)
Position:: nan
Published:: 2025

Source Information

Original Query

corporate filing "material impact" "ransomware attack" 2023..2024

View Original Source

Timeline

Information Published

2025

Incident Occurred

24/06/2024 (455 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats