Microsoft Corporation responded to a comment letter from the SEC regarding their cybersecurity incident disclosures on Form 8-K and Form 8-K/A, filed on January 19 and March 8, 2024, respectively. The SEC inquired why Microsoft filed under Item 1.05 of Form 8-K despite stating the incident had not materially impacted operations or financial results. Microsoft detected unauthorized access by a nation-state associated actor to employee emails in late November 2023, leading to data exfiltration. At the time of the initial filing, the investigation was incomplete, and the impact was uncertain. Microsoft disclosed the incident under Item 1.05 due to the ongoing investigation and the SEC's guidance to resolve doubts in favor of disclosure. The company continues to monitor the situation and will update...Show More

Microsoft Corporation responded to a comment letter from the SEC regarding their cybersecurity incident disclosures on Form 8-K and Form 8-K/A, filed on January 19 and March 8, 2024, respectively. The SEC inquired why Microsoft filed under Item 1.05 of Form 8-K despite stating the incident had not materially impacted operations or financial results. Microsoft detected unauthorized access by a nation-state associated actor to employee emails in late November 2023, leading to data exfiltration. At the time of the initial filing, the investigation was incomplete, and the impact was uncertain. Microsoft disclosed the incident under Item 1.05 due to the ongoing investigation and the SEC's guidance to resolve doubts in favor of disclosure. The company continues to monitor the situation and will update disclosures if the incident is found to materially affect the company. Microsoft also acknowledged the Gerding Statement regarding the disclosure of material cybersecurity incidents and will consider it for future incidents. As of the response date, Microsoft does not believe the incident has materially impacted its reputation or customer relationships but will amend disclosures if this assessment changes.