Thomas J. Kim Partner T: +1 202.887.3550 M: +1 202.420.1282 tkim@gibsondunn.com

July 31, 2024

Division of Corporation Finance

Securities and Exchange Commission

100 F Street, NE

Washington, DC 20549

 

Re:

AT&T Inc.

Form 8-K

Filed July 12, 2024

File No. 001-08610

Ladies and Gentlemen:

On behalf of our client, AT&T Inc. (the “Company,” “AT&T” or “we”): we are in receipt of the letter from the staff (the “Staff”) of the Securities and Exchange Commission (the “Commission”) dated July 26, 2024 to Mr. David R. McAtee II of AT&T. For your convenience, we have included the Staff’s comment herein and included our response accordingly.

The Company’s response to the Staff’s comment is set forth below.

Form 8-K

Item 1.05 Material Cybersecurity Incidents

 

1.

Please tell us whether or not this incident is a material cybersecurity incident under Item 1.05(a) of Form 8-K. If you determined the cybersecurity incident to be material, please describe all material impacts or reasonably likely material impacts on the company as required by Item 1.05(a), not just the impacts on “AT&T’s operations” and “financial condition or results of operations.” As the Commission noted in the adopting release, the rule’s inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. For example, consider impacts on customer relationships, competitiveness, and potential reputational harm related to the cybersecurity incident. If you did not determine the cybersecurity incident to be material, please provide an analysis supporting your conclusion and advise us as to why you filed under Item 1.05 of Form 8-K rather than Item 8.01 of Form 8-K.

Response:

The Company acknowledges the Staff’s comment and confirms that the Company determined this incident to be a material cybersecurity incident under Item 1.05(a) of Form 8-K. Importantly, the question of whether an incident is “material” for purposes of 1.05(a) of Form 8-K is distinct from the question of whether an incident is likely to have a “material impact” on the registrant. As described below, the Company carefully considered both quantitative and qualitative factors when it evaluated the materiality of the incident and determined that the incident was a material cybersecurity incident under Item 1.05(a).

I.

As a threshold matter, we note that Item 1.05(a) does not require a registrant to affirmatively state in the Form 8-K that the incident is “material.” In this regard, Item 1.05(a) is similar to other Form 8-K items, such as Item 1.01, Entry into a Material Definitive Agreement. Under Item 1.01, if an agreement is a “material definitive agreement not made in the ordinary course of business of the registrant,” then the registrant is required to provide the information requested by Item 1.01(a)(1) and (2), neither of which directs the registrant to affirmatively state that the agreement is material or to explain why the agreement is material.

 

Gibson, Dunn & Crutcher LLP

1050 Connecticut Avenue, N.W. | Washington, D.C. 20036-5306 | T: 202.955.8500 | F: 202.467.0539 | gibsondunn.com

Division of Corporation Finance Securities and Exchange Commission		July 31, 2024 Page 2

 

II.

Whether an event is a material cybersecurity incident under Item 1.05(a) of Form 8-K is determined by what a reasonable investor would find important.

In the adopting release for Item 1.05, the SEC stated that:

the materiality standard registrants should apply in evaluating whether a Form 8-K would be triggered under proposed Item 1.05 would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, and likewise with that set forth in 17 CFR 230.405 (“Securities Act Rule 405”) and 17 CFR 240.12b-2 (“Exchange Act Rule 12b-2”).¹

These cases define “material” by focusing on the reasonable investor and what the reasonable investor would find to be important. In the adopting release, the SEC summarized the import of these cases and rules as follows:

That is, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” “Doubts as to the critical nature” of the relevant information should be “resolved in favor of those the statute is designed to protect,” namely investors.²

We believe there is a distinction between “material” and “material impact.” They are not the same concept: “material” is broader than “material impact,” and the definition’s focus is on investors and their viewpoints. The Company carefully considered both quantitative and qualitative factors when it evaluated the materiality of the incident. In view of the nature of the incident – which involved the exfiltration of records of calls and texts of nearly all of AT&T’s wireless customers over a six-month period in 2022 – the Company concluded that, particularly with the reputational and customer perception risks associated with the incident, information about the incident would significantly alter the total mix of information made available and that there was a substantial likelihood that a reasonable shareholder would consider information about the incident to be important in making a voting or investment decision. In other words, the Company concluded that the incident was “material” under well-established law highlighted by the SEC in its guidance on Item 1.05(a) of Form 8-K.

III.

In addition, we would note that the Form 8-K stated that “[o]n May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted.” As the Staff is aware, the Company would not have been able to obtain the relief provided by Item 1.05(c) had the Company not determined – and reported to the Department of Justice – that disclosure was required pursuant to Item 1.05(a). Also, before filing the Form 8-K, the Company was mindful of Erik Gerding’s May 21, 2024 statement, “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.”

IV.

In summary, “material” is not the same concept as “material impact”; it does not logically follow that a material incident must necessarily mean that there is a material impact. “Material” focuses on the reasonable investor and what such investor would consider important in making a voting or investment decision; in contrast, “material impact” focuses on the company and how the incident has affected the company. For a simple example of this distinction, consider the case of a charismatic CEO/founder who single-handedly built a multi-billion dollar public company and passes away in the prime of her life. Her death may be material to investors by creating a qualitative human capital management risk that may affect how investors view the company’s prospects, but, depending on the quality and competence of her management team, among other things, this risk may not have a material impact on the company.

 

1	Release No. 33-11216 (July 26, 2023) at 14 (internal footnotes omitted).

2	Id. at 14-15 (internal footnotes omitted).

Division of Corporation Finance Securities and Exchange Commission		July 31, 2024 Page 3

 

V.

 

The disclosure requirement under Item 1.05(a) states the following:

If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. (emphasis added).

In response to this requirement, including the underlined language, the Company stated: “As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.” As of the date of the filing of the Form 8-K, the Company did not believe that there was any other material impact or reasonably likely material impact of the incident on AT&T. In the future, if the risks created by this incident do result in a material impact or reasonably likely material impact on AT&T, then the Company will amend the Form 8-K to update it accordingly.

*   *    *

We appreciate your feedback on our filing and are available to address any questions you may have.

 

Cc:	Mr. David R. McAtee II, AT&T