On December 18, the Securities and Exchange Commission's (SEC) new disclosure requirements go into effect and will require public companies to publicly report material cybersecurity incidents within four days of making a determination that an incident is material. A major question under new SEC cyber rules is whether and how victim companies may be able to use a narrow delay mechanism for public reporting when early disclosure threatens to cause harm. Specifically, the new rules provide victims a mechanism to request a delay for disclosures that “would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ findings”.[1]

Based on our own experience in government and in advising on security incidents, the narrow path to delay offered in the SEC’s final rule appears unlikely to provide meaningful relief to many victims. And since the final rule was adopted, regulated entities have been looking for guidance on how this delay mechanism can be accessed and used.

The Federal Bureau of Investigation (FBI), in coordination with the U.S. Department of Justice (DOJ), has now issued guidance on how victims can request disclosure delays for national security or public safety reasons.

What are the new cyber obligations?

Publicly traded companies are required to determine whether a cybersecurity incident is considered “material,” which the SEC defines as “a substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision. After a company makes a materiality determination, the company then has four business days to publicly disclose the incident by filing an SEC form 8-K in the SEC’s online database EDGAR. Many commenters advised the agency that this short time period was too tight and would result in premature disclosures that may be based on still-evolving facts and forensics, and that may harm ongoing investigations and cooperation with law enforcement.

The SEC in response created a narrow mechanism for DOJ to grant a 30-day delay of the public filing requirement for the 8-K for national security or public safety reasons. Delays, however, cannot exceed a total of 120 business days (or 60 days if only related solely to public safety) without an exemptive order from the SEC.

This part of the SEC rules was – and remains – controversial, as nearly every sector of the economy had advised the agency that premature disclosure of cyber incidents can increase risk to the victim companies and their customers and employees and interfere with ongoing criminal investigations. Commenters had urged the SEC to heed the approaches in other federal and state breach reporting models, but the SEC largely rejected those pleas, offering instead a relatively narrow option for delay that has high standards and may not be relevant to many or most incidents. The FBI has expressed a keen interest in helping victim companies respond to incidents and has for years been a willing and discreet partner to organizations under attack. It has been working to support this new SEC mechanism.

How can victim companies seek a delay?

As explained in a newly published FBI Policy Notice, the FBI will be responsible for handling delay requests, coordinating with relevant national security and public safety entities, and referring those requests to DOJ for adjudication. It’s important to note that the FBI indicates delay requests will not be processed unless the request is made immediately upon a company’s determination of materiality.

Since a victim company must publicly disclose the cybersecurity incident to the SEC within four business days, it is imperative that the company immediately contact the FBI to request a public notification delay so that the Attorney General can determine whether a public filing would pose a significant threat to public safety or national security. DOJ and the Attorney General will expeditiously make these determinations and notify the requesting victim, the SEC, and the referring agency (including the FBI) of its decision.

To request a reporting delay, the FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements: Request a Delay, indicates that victim companies must send an email to the FBI at a dedicated email address that will be announced soon. That email must contain all of the following information:

1. The name of the company;
2. The date when the cyber incident occurred;
3. The date when the victim company determined that the cyber incident was material under the regulations. This part of the notification must contain the date, time, and time zone. The FBI notes that failure to report this information to the FBI immediately upon determination will cause a delay-referral request to be denied.
4. Whether the victim company is already in contact with the FBI regarding this incident (and the names and field offices of the FBI points of contact);
5. A description of the cyber incident in detail which includes, at a minimum:
   1. What type of incident occurred;
   2. Whether there are known or suspected intrusion vectors;
   3. What infrastructure of data were affected (if any) and how they were affected;
   4. What the operations impact on the victim company is, if known;
6. Whether there are any confirmed or suspected attribution of the cyber actors responsible;
7. The current status of any remediation or mitigation efforts;
8. The location where the cyber incident occurred (including street address, city, and state);
9. The victim company’s points of contact for reporting this incident and requesting a delay; and,
10. Whether the victim company has previously submitted a delay referral request or if this is the first time? If a delay request has previously been submitted, the victim company is asked to include details about when DOJ made its last determination(s), on what grounds, and for how long a delay was granted (if applicable).

Each delay request must contain all of the above 10 pieces of information to be considered by the FBI. If the victim company doesn’t make the delay request to the FBI concurrently with the materiality determination, the FBI will not process the request.

The FBI recommends that all publicly traded companies establish a relationship with the cyber squad in their local FBI field office so that they can engage with the FBI as soon as a cyber incident is discovered. Early outreach to the FBI, before a delay request is submitted, can help the FBI to become familiar with the cyber incident before the victim company makes the delay request and can occur before a company makes a materiality determination. The government notes that engagement with the FBI doesn’t in and of itself mean that an incident is material.

The new guidance highlights the importance of having a process in place to review cybersecurity incidents at the time they occur, determine materiality and reporting obligations, and assess whether a notification delay request based on public safety or national security grounds should be requested before the four-day SEC public notification obligation deadline. It also underscores the importance of having relationships – directly or through counsel – with FBI contacts that can help. In our experience, the FBI’s cyber teams are often highly responsive and try to help victims with discretion.

There is only a short window of time between making a materiality decision, requesting a notification delay, and public disclosure of a cybersecurity incident. Companies would be well served by preparing for these short deadlines now.

[1] 88 Fed. Reg. 51896 https://www.sec.gov/files/rules/final/2023/33-11216.pdf

[View source.]