As discussed in a previous alert, on July 26, 2023, the U.S. Securities and Exchange Commission (SEC) approved final rules requiring that public companies report information regarding cybersecurity incidents within four business days of determining the incident was material. The cybersecurity rules included a limited exception to the four-business day requirement if the U.S. Attorney General (AG) determines public disclosure would pose a substantial risk to national security or public safety and provides written notice to the SEC to permit delayed disclosure. These Form 8-K requirements go into effect December 18, 2023.
This week, the Federal Bureau of Investigation (FBI), the U.S. Department of Justice (DOJ), and the SEC each released guidance regarding this exception.
Background
The SEC’s cybersecurity disclosure rules require publicly traded companies that experience "a cybersecurity incident that is determined by the registrant to be material,” to file a current report on Form 8-K under Item 1.05(a). The Form 8-K disclosure must include “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Once a company determines a cybersecurity incident is material, the company has four business days to file the Form 8-K on the SEC’s EDGAR system.
Item 1.05(c) contains what is expected to be a rare exception to the general disclosure requirement in the event that the AG determines that the Item 1.05 disclosure “poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing.”
The exception in Item 1.05(c) allows for the AG to provide:
Any possible further delay “beyond the final 60-day delay,” requires AG determination of continued substantial risk and the issuance of an SEC exemptive order.
Release of FBI and DOJ Guidance
Since the cybersecurity rules were released, companies have expected the FBI and the DOJ to release guidance regarding the process for seeking an exemption. On December 6, 2023, the FBI issued a policy notice, and on December 12, 2023, the DOJ released guidelines that outline the process to request delays of cyber incident disclosures. The FBI’s policy notice provides details on the procedure for requesting a delay, and the DOJ’s guidelines address how the DOJ will make its determination on delay.
Necessary Components for Delay Request
To request a reporting delay, companies must contact the FBI through a dedicated email address (not released as of December 15, 2023), the Cybersecurity and Infrastructure Security Agency (CISA), or other government agencies, as allowed.
Each request for a reporting delay is required to contain all of the following information:
Overview of the DOJ Determination Process
The DOJ Guidelines advise that determinations for delays are primarily concerned with whether the public disclosure of a cybersecurity incident threatens public safety or national security, not whether the incident itself poses a substantial risk to public safety and national security. The guidelines note that the prompt public disclosure of relevant information about a cybersecurity incident often provides an overall benefit for investors, public safety, and national security.
The DOJ Guidelines limit the expected circumstances in which public disclosure could pose a substantial risk to national security or public safety to the following categories:
The most relevant facts for determination of delayed disclosure will pertain to potential consequences to national security or public safety that would result from a disclosure within the timeframe required by Form 8-K Item 1.05.
The Attorney General must invoke the provision permitting a delay in disclosing an incident within four business days of a determination by the registrant that the registrant has experienced a material cybersecurity incident. As such, it is important that the registrant provide the FBI information about a cybersecurity incident likely to meet the requirements for delayed disclosure as soon as possible to allow for a thorough FBI investigation. While not a requirement of the process laid out in DOJ guidance, communication with the FBI is recommended even before the registrant has completed its materiality analysis or its investigation into the incident. The FBI’s referral of a delay request to the DOJ will include an evaluation of whether the public disclosure required by Form 8-K Item 1.05 within its prescribed timeframe would pose a substantial risk to national security or public safety.
The DOJ guidelines will be reassessed after completion of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rulemaking. CISA is required to publish the CIRCIA Notice of Proposed Rulemaking, starting the rulemaking process, by March 2024.
Additional SEC Guidance
On December 12 and 14, 2023, the staff of the SEC published four Compliance and Disclosure Interpretations (CDIs) that relate to the national security exception and FBI and DOJ guidance. The CDIs include the following guidance:
Key Takeaway
The FBI, DOJ, and SEC guidance regarding the national security or public safety exception to the cybersecurity Form 8-K requirements emphasize two points: that the exception is likely to be extremely limited, and that notifying the FBI as quickly as possible once a determination that an incident is material will be crucial. Companies will likely need to consider the possibility of requesting the exception contemporaneously with making a materiality determination and prepare a request in advance of finalizing the materiality determination.
For more information on the new cybersecurity rules or any related matter, please contact any member of Wilson Sonsini's public company representation or privacy and cybersecurity practices.