Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

SEC Disclosure Delay Provisions

The Final Rules include a provision allowing a company to delay filing a disclosure[1] where there is an active law enforcement investigation or the U.S. Attorney General (“Attorney General”) determines disclosure implicates national security or public safety, and notifies the SEC in writing. The disclosure may be delayed for several reasons:

  • Initially, disclosure may be delayed for up to 30 days following the date when the disclosure was otherwise required to be provided.
  • The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
  • In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC.
  • Delays cannot exceed a total of 120 business days without an exemptive order from the SEC.

To facilitate timely communication of the Attorney General’s findings with the SEC, the U.S. Department of Justice (“DOJ”) established an interagency communication process where the Federal Bureau of Investigation (“FBI”) is responsible for: (i) intaking all such requests either from a victim directly, the Cybersecurity and Infrastructure Security Agency (“CISA”), or other government agencies, on behalf of the DOJ, (ii) coordinating checks of USG national security and public safety equities, and (iii) reporting the outcome of these checks to DOJ.

Requesting a Delayed Disclosure

The FBI, in coordination with the DOJ, issued the DOJ Material Cybersecurity Incident Delay Determinations Guidelines and FBI Policy Notice, on how victims may request disclosure delays for national security or public safety reasons. The FBI strongly recommends all publicly traded companies contact the FBI soon after a company believes disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety. Delay requests will not be processed by the FBI unless they are received by the FBI immediately upon a company’s determination that disclosure of a cybersecurity incident to the SEC is required.

Companies may request a disclosure delay by contacting the FBI directly at cyber_sec_disclosure_delay_referrals@fbi.gov or through the U.S. Secret Service, CISA, the U.S. Department of Defense, or another sector risk management agency. In their delay request, victim companies must provide the following information:

  1. Company name;
  2. When the cyber incident occurred;
  3. When a determination was made to disclose a cyber incident to the SEC via Form 8-k (including the date, time, and time zone). Failure to report this information immediately upon determination will cause the delay-referral request to be denied;  
  4. Whether the company already in contact with the FBI or another U.S. government agency regarding this incident. If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom the company is in contact;
  5. Describe the incident in detail. Include the following details, at minimum:
    1. The type of incident that occurred;
    2. The known or suspected intrusion vectors, including any identified vulnerabilities if known;
    3. The infrastructure or data were affected (if any) and how were they affected;
    4. Whether the operational impact on the company, if known;
  6. Whether there is confirmed or suspected attribution of the cyber actors responsible;
  7. The current status of any remediation or mitigation efforts;
  8. Where the incident occurred (including the street address, city, and state where the incident occurred);
  9. The company’s points of contact for this matter (including the name, phone number, and email address of personnel the FBI may contact to discuss this request); and
  10. Whether the company previously submitted a delay referral request or if this is the first time. If victim companies have previously submitted a delay request, they must include details about when DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay, if applicable. 

With the increased regulatory scrutiny of a company’s cybersecurity hygiene, public companies should remain current on cybersecurity incident reporting requirements.

Crowell & Moring LLP is highly experienced at advising clients on SEC and law enforcement developments impacting organizations. Additional information on the latest SEC activities is available at the following Crowell client alerts: Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST CyberattackFive Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies, and SEC Proposes New Cybersecurity Risk and Incident Disclosure Obligations.

If you have questions about this alert or similar issues, please contact one of the Crowell & Moring attorneys listed below, or your regular Crowell & Moring contact.

[1] Under the SEC Final Rules, public companies are required to file cybersecurity incident disclosures via submission of Item 1.05 on the SEC Form 8-K.

Tags: Cybersecurity, DOJ, FBI, Incident disclosure, SEC
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel L. Zelenko Daniel L. Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Read more about Daniel L. Zelenko
Show more Show less
Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Read more about Jennie Wang VonCannon
Show more Show less
Photo of William J. Bruno William J. Bruno

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial…

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial and follow-on securities offerings, complex commercial transactions, and corporate governance. William advises clients seeking to grow, collaborate, and secure new capital.

Read more about William J. Bruno
Show more Show less
Photo of Anand Sithian Anand Sithian

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand is resident in the firm’s New York office and a member of the firm’s International Trade, White Collar and Regulatory Enforcement, and Financial Services groups.

A former federal prosecutor, Anand leverages his government experience to guide clients through complex white-collar matters, including grand jury and regulatory investigations, enforcement proceedings, and internal investigations. Anand has deep experience in parallel criminal and civil investigations and proceedings, and often represents clients in defending against civil lawsuits related to government investigations.

Representing some of the world’s largest banks and technology companies, Anand has addressed a wide range of issues, including economic sanctions, BSA/AML; economic sanctions and national security; payments and cryptocurrency; securities laws; and cybersecurity enforcement. In the regulatory space, Anand prides himself on providing commercial and actionable advice, including in the developing areas of digital assets, FinTech, and payments.

Read more about Anand Sithian
Show more Show less
Related Posts
The NIS2 Directive is on the Edge of Enforcement: What Now for EU/US Companies?
August 26, 2024
SEC “Encourages” Public Companies to Disclose “Immaterial” Cybersecurity Incidents Under Item 8.01 of Form 8-K
May 23, 2024
Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack
November 8, 2023