As discussed in a previous alert, on July 26, 2023, the U.S. Securities and Exchange Commission (SEC) approved final rules requiring that public companies report information regarding cybersecurity incidents within four business days of determining the incident was material. The cybersecurity rules included a limited exception to the four-business day requirement if the U.S. Attorney General (AG) determines public disclosure would pose a substantial risk to national security or public safety and provides written notice to the SEC to permit delayed disclosure. These Form 8-K requirements go into effect December 18, 2023.

This week, the Federal Bureau of Investigation (FBI), the U.S. Department of Justice (DOJ), and the SEC each released guidance regarding this exception.

Background

The SEC’s cybersecurity disclosure rules require publicly traded companies that experience "a cybersecurity incident that is determined by the registrant to be material,” to file a current report on Form 8-K under Item 1.05(a). The Form 8-K disclosure must include “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Once a company determines a cybersecurity incident is material, the company has four business days to file the Form 8-K on the SEC’s EDGAR system.

Item 1.05(c) contains what is expected to be a rare exception to the general disclosure requirement in the event that the AG determines that the Item 1.05 disclosure “poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing.”

The exception in Item 1.05(c) allows for the AG to provide:

• an initial delay of up to 30 days;
• an additional period of up to 30 days; and
• a possible “final additional” period of delay of up to 60 days.

Any possible further delay “beyond the final 60-day delay,” requires AG determination of continued substantial risk and the issuance of an SEC exemptive order.

Release of FBI and DOJ Guidance

Since the cybersecurity rules were released, companies have expected the FBI and the DOJ to release guidance regarding the process for seeking an exemption. On December 6, 2023, the FBI issued a policy notice, and on December 12, 2023, the DOJ released guidelines that outline the process to request delays of cyber incident disclosures. The FBI’s policy notice provides details on the procedure for requesting a delay, and the DOJ’s guidelines address how the DOJ will make its determination on delay.

Necessary Components for Delay Request

To request a reporting delay, companies must contact the FBI through a dedicated email address (not released as of December 15, 2023), the Cybersecurity and Infrastructure Security Agency (CISA), or other government agencies, as allowed.

Each request for a reporting delay is required to contain all of the following information:

• Company Name
• Estimated Time that Cyber Incident Occurred
• Time of company determination to disclose a cyber incident on SEC Form 8-K
• Any contact with the FBI or another U.S. government agency regarding the incident (providing names and field offices of the FBI points of contact or information regarding the U.S. government agency)
• Description of the incident in detail. Including, at a minimum:
  • Type of incident
  • Known or suspected intrusion vectors, including any identified vulnerabilities
  • Identification and description of how any infrastructure or data were affected
  • Operational impact on the company, if known
• Confirmation or suspicion of attribution of the cyber actors responsible
• Current status of any remediation or mitigation efforts
• Location of where the incident occurred (providing street address, city, and state)
• Company points of contact for this matter (providing the name, phone number, and email address)
• Whether the company has previously submitted a delay referral request
  • If so, including details about when the DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay (if applicable).

Overview of the DOJ Determination Process

The DOJ Guidelines advise that determinations for delays are primarily concerned with whether the public disclosure of a cybersecurity incident threatens public safety or national security, not whether the incident itself poses a substantial risk to public safety and national security. The guidelines note that the prompt public disclosure of relevant information about a cybersecurity incident often provides an overall benefit for investors, public safety, and national security.

The DOJ Guidelines limit the expected circumstances in which public disclosure could pose a substantial risk to national security or public safety to the following categories:

1. The cybersecurity incident occurred because the illicit cyber activities were reasonably suspected to have involved a technique for which there is not yet well-known mitigation;
2. The cybersecurity incident primarily impacts a system that contains sensitive U.S. Government information;
3. The registrant requesting a delay is conducting remediation efforts for critical infrastructure or for a critical system; and
4. A U.S. Government (USG) agency believes the available facts concerning the cybersecurity incident show that public disclosure poses a substantial risk to national security or public safety.

The most relevant facts for determination of delayed disclosure will pertain to potential consequences to national security or public safety that would result from a disclosure within the timeframe required by Form 8-K Item 1.05.

The Attorney General must invoke the provision permitting a delay in disclosing an incident within four business days of a determination by the registrant that the registrant has experienced a material cybersecurity incident. As such, it is important that the registrant provide the FBI information about a cybersecurity incident likely to meet the requirements for delayed disclosure as soon as possible to allow for a thorough FBI investigation. While not a requirement of the process laid out in DOJ guidance, communication with the FBI is recommended even before the registrant has completed its materiality analysis or its investigation into the incident. The FBI’s referral of a delay request to the DOJ will include an evaluation of whether the public disclosure required by Form 8-K Item 1.05 within its prescribed timeframe would pose a substantial risk to national security or public safety.

The DOJ guidelines will be reassessed after completion of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rulemaking. CISA is required to publish the CIRCIA Notice of Proposed Rulemaking, starting the rulemaking process, by March 2024.

Additional SEC Guidance

On December 12 and 14, 2023, the staff of the SEC published four Compliance and Disclosure Interpretations (CDIs) that relate to the national security exception and FBI and DOJ guidance. The CDIs include the following guidance:

• If a registrant requests an exception from the DOJ and the DOJ does not respond within four business days of the registrant determining that a cybersecurity incident was material, the registrant still must file the Item 1.05 Form 8-K within the four-business day deadline.
• If, after a DOJ delay is granted, the registrant asks for an additional delay but the DOJ declines or does not respond prior to the expiration of the delay period, the registrant must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period.
• If, after a DOJ delay is granted, the DOJ notifies the registrant that the incident no longer poses a substantial risk to national security or public safety, the registrant must file the Item 1.05 Form 8-K within four business days of the DOJ’s notification.
• The sole fact that a registrant consults with the DOJ regarding the availability of a delay under Item 1.05(c) does not necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a).

Key Takeaway

The FBI, DOJ, and SEC guidance regarding the national security or public safety exception to the cybersecurity Form 8-K requirements emphasize two points: that the exception is likely to be extremely limited, and that notifying the FBI as quickly as possible once a determination that an incident is material will be crucial. Companies will likely need to consider the possibility of requesting the exception contemporaneously with making a materiality determination and prepare a request in advance of finalizing the materiality determination.