Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

SEC Disclosure Delay Provisions

The Final Rules include a provision allowing a company to delay filing a disclosure[1] where there is an active law enforcement investigation or the U.S. Attorney General (“Attorney General”) determines disclosure implicates national security or public safety, and notifies the SEC in writing. The disclosure may be delayed for several reasons:

  • Initially, disclosure may be delayed for up to 30 days following the date when the disclosure was otherwise required to be provided.
  • The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
  • In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC.
  • Delays cannot exceed a total of 120 business days without an exemptive order from the SEC.

To facilitate timely communication of the Attorney General’s findings with the SEC, the U.S. Department of Justice (“DOJ”) established an interagency communication process where the Federal Bureau of Investigation (“FBI”) is responsible for: (i) intaking all such requests either from a victim directly, the Cybersecurity and Infrastructure Security Agency (“CISA”), or other government agencies, on behalf of the DOJ, (ii) coordinating checks of USG national security and public safety equities, and (iii) reporting the outcome of these checks to DOJ.

Requesting a Delayed Disclosure

The FBI, in coordination with the DOJ, issued the DOJ Material Cybersecurity Incident Delay Determinations Guidelines and FBI Policy Notice, on how victims may request disclosure delays for national security or public safety reasons. The FBI strongly recommends all publicly traded companies contact the FBI soon after a company believes disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety. Delay requests will not be processed by the FBI unless they are received by the FBI immediately upon a company’s determination that disclosure of a cybersecurity incident to the SEC is required.

Companies may request a disclosure delay by contacting the FBI directly at cyber_sec_disclosure_delay_referrals@fbi.gov or through the U.S. Secret Service, CISA, the U.S. Department of Defense, or another sector risk management agency. In their delay request, victim companies must provide the following information:

  1. Company name;
  2. When the cyber incident occurred;
  3. When a determination was made to disclose a cyber incident to the SEC via Form 8-k (including the date, time, and time zone). Failure to report this information immediately upon determination will cause the delay-referral request to be denied;  
  4. Whether the company already in contact with the FBI or another U.S. government agency regarding this incident. If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom the company is in contact;
  5. Describe the incident in detail. Include the following details, at minimum:
    1. The type of incident that occurred;
    2. The known or suspected intrusion vectors, including any identified vulnerabilities if known;
    3. The infrastructure or data were affected (if any) and how were they affected;
    4. Whether the operational impact on the company, if known;
  6. Whether there is confirmed or suspected attribution of the cyber actors responsible;
  7. The current status of any remediation or mitigation efforts;
  8. Where the incident occurred (including the street address, city, and state where the incident occurred);
  9. The company’s points of contact for this matter (including the name, phone number, and email address of personnel the FBI may contact to discuss this request); and
  10. Whether the company previously submitted a delay referral request or if this is the first time. If victim companies have previously submitted a delay request, they must include details about when DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay, if applicable. 

With the increased regulatory scrutiny of a company’s cybersecurity hygiene, public companies should remain current on cybersecurity incident reporting requirements.

Crowell & Moring LLP is highly experienced at advising clients on SEC and law enforcement developments impacting organizations. Additional information on the latest SEC activities is available at the following Crowell client alerts: Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST CyberattackFive Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies, and SEC Proposes New Cybersecurity Risk and Incident Disclosure Obligations.

If you have questions about this alert or similar issues, please contact one of the Crowell & Moring attorneys listed below, or your regular Crowell & Moring contact.

[1] Under the SEC Final Rules, public companies are required to file cybersecurity incident disclosures via submission of Item 1.05 on the SEC Form 8-K.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Daniel Zelenko Daniel Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of William J. Bruno William J. Bruno

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial…

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial and follow-on securities offerings, complex commercial transactions, and corporate governance. William advises clients seeking to grow, collaborate, and secure new capital.

Photo of Anand Sithian Anand Sithian

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand is resident in the firm’s New York office and a member of the firm’s International Trade, White Collar and Regulatory Enforcement, and Financial Services groups.

A former federal prosecutor, Anand leverages his government experience to guide clients through complex white-collar matters, including grand jury and regulatory investigations, enforcement proceedings, and internal investigations. Anand has deep experience in parallel criminal and civil investigations and proceedings, and often represents clients in defending against civil lawsuits related to government investigations.

Representing some of the world’s largest banks and technology companies, Anand has addressed a wide range of issues, including economic sanctions, BSA/AML; economic sanctions and national security; payments and cryptocurrency; securities laws; and cybersecurity enforcement. In the regulatory space, Anand prides himself on providing commercial and actionable advice, including in the developing areas of digital assets, FinTech, and payments.

Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).

Photo of Neda Shaheen Neda Shaheen

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national…

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national security, technology, cybersecurity, trade and international law. Neda joined the firm after working as a consultant at Crowell & Moring International (CMI), where she supported a diverse range of clients on digital trade matters concerning international trade, national security, privacy, and data governance, as well as advancing impactful public-private partnerships.