Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.
SEC Disclosure Delay Provisions
The Final Rules include a provision allowing a company to delay filing a disclosure where there is an active law enforcement investigation or the U.S. Attorney General (“Attorney General”) determines disclosure implicates national security or public safety, and notifies the SEC in writing. The disclosure may be delayed for several reasons:
- Initially, disclosure may be delayed for up to 30 days following the date when the disclosure was otherwise required to be provided.
- The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
- In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC.
- Delays cannot exceed a total of 120 business days without an exemptive order from the SEC.
To facilitate timely communication of the Attorney General’s findings with the SEC, the U.S. Department of Justice (“DOJ”) established an interagency communication process where the Federal Bureau of Investigation (“FBI”) is responsible for: (i) intaking all such requests either from a victim directly, the Cybersecurity and Infrastructure Security Agency (“CISA”), or other government agencies, on behalf of the DOJ, (ii) coordinating checks of USG national security and public safety equities, and (iii) reporting the outcome of these checks to DOJ.
Requesting a Delayed Disclosure
The FBI, in coordination with the DOJ, issued the DOJ Material Cybersecurity Incident Delay Determinations Guidelines and FBI Policy Notice, on how victims may request disclosure delays for national security or public safety reasons. The FBI strongly recommends all publicly traded companies contact the FBI soon after a company believes disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety. Delay requests will not be processed by the FBI unless they are received by the FBI immediately upon a company’s determination that disclosure of a cybersecurity incident to the SEC is required.
Companies may request a disclosure delay by contacting the FBI directly at email@example.com or through the U.S. Secret Service, CISA, the U.S. Department of Defense, or another sector risk management agency. In their delay request, victim companies must provide the following information:
- Company name;
- When the cyber incident occurred;
- When a determination was made to disclose a cyber incident to the SEC via Form 8-k (including the date, time, and time zone). Failure to report this information immediately upon determination will cause the delay-referral request to be denied;
- Whether the company already in contact with the FBI or another U.S. government agency regarding this incident. If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom the company is in contact;
- Describe the incident in detail. Include the following details, at minimum:
- The type of incident that occurred;
- The known or suspected intrusion vectors, including any identified vulnerabilities if known;
- The infrastructure or data were affected (if any) and how were they affected;
- Whether the operational impact on the company, if known;
- Whether there is confirmed or suspected attribution of the cyber actors responsible;
- The current status of any remediation or mitigation efforts;
- Where the incident occurred (including the street address, city, and state where the incident occurred);
- The company’s points of contact for this matter (including the name, phone number, and email address of personnel the FBI may contact to discuss this request); and
- Whether the company previously submitted a delay referral request or if this is the first time. If victim companies have previously submitted a delay request, they must include details about when DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay, if applicable.
With the increased regulatory scrutiny of a company’s cybersecurity hygiene, public companies should remain current on cybersecurity incident reporting requirements.
Crowell & Moring LLP is highly experienced at advising clients on SEC and law enforcement developments impacting organizations. Additional information on the latest SEC activities is available at the following Crowell client alerts: Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack, Five Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies, and SEC Proposes New Cybersecurity Risk and Incident Disclosure Obligations.
If you have questions about this alert or similar issues, please contact one of the Crowell & Moring attorneys listed below, or your regular Crowell & Moring contact.
 Under the SEC Final Rules, public companies are required to file cybersecurity incident disclosures via submission of Item 1.05 on the SEC Form 8-K.