Since December 18, 2023 public companies other than smaller reporting companies are required to report a cybersecurity incident under Item 1.05 of Form 8-K within four business days after the company determines the incident is material.

Item 1.05(c) of Form 8-K permits a company to delay disclosing a material cybersecurity incident for a limited period of time if the U.S. Attorney General determines that the disclosure required by Item 1.05(a) poses a substantial risk to national security or public safety. The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) recently issued guidance describing the process for making that determination. The process requires the company experiencing the incident or a U.S. government agency in some circumstances to submit to the FBI a written request for delayed disclosure.