SideBar

The DOJ guidelines set forth in Department of Justice Material Cybersecurity Incident Delay Determinations outline the process that public companies, or federal agencies in coordination with companies, may use to request that the AG authorize delays of cyber incident disclosures required on Form 8-K.

Limited circumstances for finding a substantial risk to national security or public safety. The DOJ begins by drawing the distinction between whether the public disclosure of a cybersecurity incident threatens public safety or national security—which is the DOJ’s inquiry in this context—and whether the incident itself poses a substantial risk to public safety and national security: “While cybersecurity incidents themselves frequently threaten public safety and national security, the disclosure to the public that those incidents have occurred poses threats less often,” and can even be beneficial.  In most cases, companies will be able to craft disclosure of the information required by Form 8-K “at a level of generality that does not pose a substantial risk to national security or public safety,” but disclosure could pose a risk in some circumstances, which the DOJ expects to be limited to the following categories:

• “a)  The cybersecurity incident occurred because the illicit cyber activities were reasonably suspected to have involved a technique for which there is not yet well-known mitigation—for example, exploiting a software vulnerability for which there is no patch or other reasonably available mitigation—and the disclosure required by Item 1.05 could lead to more incidents, thereby posing a substantial risk to national security or public safety.
• b) The cybersecurity incident primarily impacts a system operated or maintained by a registrant that contains sensitive U.S. Government information, or information the U.S. Government would consider sensitive, and public disclosure required by Item 1.05 would make that information and/or system vulnerable to further exploitation by illicit cyber activity, thereby posing a substantial risk to national security or public safety.  This category includes systems operated or maintained for the government as well as systems not specifically operated or maintained for the government that contain information the government would view as sensitive, such as that regarding national defense or research and development performed pursuant to government contracts.
• c) The registrant is conducting remediation efforts for any critical infrastructure or critical system, and any disclosure required by Item 1.05(a) revealing that the registrant is aware of the incident would undermine those remediation efforts and thus pose a substantial risk to national security or public safety.
• d) The circumstances described below in Section 3 [procedure for a U.S. Government agency to follow when Item 1.05(c)’s exception might apply], after a government agency has made the registrant aware of them.”

Procedures for companies to follow. If a company discovers a cybersecurity incident and believes that disclosure may pose a substantial risk to national security or public safety, the company should, directly through a dedicated email (to come) or otherwise, or through another federal agency (such as the Cybersecurity and Infrastructure Security Agency or the Secret Service) immediately contact the FBI consistent with reporting instructions the FBI has issued. (The FBI instructions spell out precisely the nature of the information that should be included in any request to the FBI.)  The DOJ states the report should include a concise description of the facts indicating that disclosure would pose a substantial risk, “citing one or more of the categories described above. The most relevant facts will pertain to the potential consequences to national security or public safety that would result from a disclosure within the timeframe required by Item 1.05.”  The AG must “invoke the provision permitting a delay in disclosing an incident under the Commission rule within four business days of a determination by the registrant that the registrant has experienced a material cybersecurity incident.  As such, it is important that the registrant provide to the FBI, directly or indirectly through another U.S. Government agency, information about a cybersecurity incident likely to meet the requirements for delayed disclosure as soon as possible, even beginning well before the registrant has completed its materiality analysis or its investigation into the incident.”  The FBI then documents the facts provided by the company as well as “findings from related FBI national security and public safety records, equity checks, and appropriate consultations with other U.S. Government agencies.” In its referral to the DOJ of a delay request, the FBI will include an evaluation of whether Form 8-K public disclosure “within its prescribed timeframe would pose a substantial risk to national security or public safety.”

Procedure for a U.S. Government agency to follow when Item 1.05(c)’s exception might apply.  The guidelines also outline the procedures for U.S. Government agencies to follow should they become aware of a cybersecurity incident applicable to a company’s information system and believe that a Form 8-K disclosure could pose a substantial risk to national security or public safety. In addition, the guidelines identify the types of scenarios that might lead such a recommending agency, rather than a company, to be aware of a substantial risk, such as when disclosure might reveal a confidential source, the government is planning an operation to disrupt the activity or the government is conducting remediation effort  with regard to critical infrastructure.

Procedures after a determination.  The DOJ has “sole discretionary authority to determine whether and how long a substantial risk to national security or public safety exists such that a delay in disclosure is necessary consistent with Item 1.05.  When, after consultation with other agencies (such as USSS, CISA, or Sector Risk Management Agencies), the AG determines that disclosure would pose a substantial risk to national security or public safety, the DOJ will notify the SEC in writing, specifying a period for the delay, up to 30 days. The DOJ will also notify the recommending agency and the company.  The AG’s determination could apply to only part of the information, and the notification will indicate the scope of the information covered. If a delay is determined not to be necessary, the DOJ will inform the recommending agency and the company, where applicable.

Changes in circumstances during a delay period.   The recommending agency should advise the company of the “ongoing need to apprise the recommending agency of any new or changed information relevant or potentially relevant to the national security or public safety risks of public disclosure that arises during the delay period.”  If the recommending agency determines that disclosure would no longer pose a substantial risk, it will immediately notify the DOJ through the FBI, and if the DOJ agrees that a delay in disclosure is no longer required, it will notify the recommending agency, the SEC and the company in writing.

Subsequent periods of delay.  Form 8-K contemplates “a possible ‘additional’ period of up to 30 days, a possible ‘final additional’ period of delay of up to 60 days, and a possible further delay ‘beyond the final 60-day delay.’” If, during an initial delay period, the recommending agency, the company or another U.S. Government agency assesses that the substantial risk from public disclosure will continue beyond the initial delay period, then they may make a request to the FBI for an “additional period” of delay “at least five business days before the end of the initial period of delay and include a description of the continued substantial risk that disclosure poses to national security or public safety and an estimate of the duration that such risk may last.” The guidelines also describe the circumstances and procedures applicable for requests for the further delays.

Limited scope.  In conclusion, the DOJ cautions that these guidelines are not all-encompassing and that there may be situations beyond Form 8-K where additional reporting may be legally required or advisable even if not required, whether to the SEC or to other government agencies.