December 13, 2023

DOJ and FBI Announce Guidance on Seeking Delays in SEC 8-K Filings for Cyber Incidents

Share

On December 12, 2023, the Department of Justice (DOJ) issued guidelines for companies to follow in requesting that the Attorney General authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission (“SEC”) pursuant to Form 8-K Item 1.05.

In July, the SEC finalized a rule (the “Final Rule”), which comes into effect on December 18, 2023, requiring companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 (“registrants”) to determine without “unreasonable delay” whether a cybersecurity incident is “material,” and to report material incidents on SEC Form 8-K within four business days of that determination. In announcing the Final Rule, the SEC restated the standard for materiality from caselaw: information about a cybersecurity incident is “material” if there is “a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.

However, the SEC rule permits registrants to delay reporting these incidents on Form 8-K if DOJ determines that “a public filing would pose a substantial threat to public safety or national security.” DOJ has made clear in their departmental guidelines on material cybersecurity incident delay determinations that the primary inquiry is whether the public disclosure of a cybersecurity incident—not the incident itself—threatens public safety or national security. In most cases, according to the guidelines, registrants will be able to publicly disclose material information at a “level of generality” that does not pose such risks.

The guidelines also offered examples of when a delay in reporting would be warranted, such as:

  • when the incident stems from exploitation of a technique for which there is not yet well-known mitigation, and disclosure of the incident could lead to more incidents;
  • when the incident impacts a system containing sensitive US government information (such as research and development performed pursuant to government contracts), such that disclosure could lead to further exploitation of that system; or
  • where the registrant is conducting remediation efforts for any critical infrastructure or critical system, and disclosure of the incident could impair those efforts.

The guidelines also contemplate situations where the government has more information about the incident than the registrant, and immediate disclosure by the registrant could compromise a government interest, such as its sources of information about the incident, an operation to disrupt ongoing illicit cyber activity (such as an asset seizure or infrastructure takedown), or the government’s own remediation efforts directed at critical infrastructure. In those situations, a government agency might seek out the registrant’s agreement to seek a delay in disclosure.

DOJ has tasked the FBI with taking in requests to delay reporting, conducting national security and public safety equities checks, and making recommendations for a decision back to DOJ. On December 6, 2023, the FBI issued a Policy Notice describing the process it will follow. Most significantly, a registrant must make its request for delay “concurrently” with the materiality decision, or else the FBI will deny the request. However, the DOJ and FBI encourage registrants to engage with the FBI directly or indirectly well before the completion of a materiality analysis. Accordingly, registrants may consider establishing and maintaining lines of communication and points of contact within the FBI, and also reporting significant incidents to the FBI prior to making a materiality decision, so that the request for delay is not the first occasion DOJ hears about the incident and appreciates its significance.

Through its CyWatch operations center, the FBI will consult with other government agencies to determine whether, in their view, public filing of the incident would pose a significant risk to national security or public safety. CyWatch will compile the information it receives and route it to a designated DOJ e-mail. For more detailed information about the FBI’s process, see FBI's Guidance to Victims of Cyber Incidents on SEC Reporting Requirements.

After receiving the FBI’s referral, DOJ may grant an initial notification delay of up to 30 business days if it determines that a substantial risk to national security or public safety exists, with the option of further delaying for an additional 30 days in “extraordinary circumstances.” A registrant’s request for an additional period of delay should be made at least five business days before the end of the initial period of delay and include “a description of the continued substantial risk that disclosure poses to national security or public safety and an estimate of the duration that such risk may last.” DOJ can approve delay for an additional 60 business days due to substantial national security (but not public safety) risks. The SEC must issue an exemptive order for delays of more than 120 business days (or 60 days for incidents that solely relate to public safety).

Registrants interested in making a request to delay with the FBI should do so through their local FBI field offices. Requests made to the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency or Sector Risk Management Agencies will be forwarded to the FBI. The FBI has published guidance on the information registrants should include in a delay request, including: a detailed account of the incident (i.e., timing, suspected intrusion vectors, affected data or infrastructure, and any known operational impacts); information about the actor responsible, if known; and the status of remediation efforts. Registrants must provide the date and time (including time zone) of their determination of “materiality,” so the FBI can verify that the delay request is being made “immediately upon determination.”

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe