On December 12, 2023, the Department of Justice (DOJ) issued guidelines for companies to follow in requesting that the Attorney General authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission ("SEC") pursuant to Form 8-K Item 1.05.

In July, the SEC finalized a rule (the "Final Rule"), which comes into effect on December 18, 2023, requiring companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 ("registrants") to determine without "unreasonable delay" whether a cybersecurity incident is "material," and to report material incidents on SEC Form 8-K within four business days of that determination. In announcing the Final Rule, the SEC restated the standard for materiality from caselaw: information about a cybersecurity incident is "material" if there is "a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available.

However, the SEC rule permits registrants to delay reporting these incidents on Form 8-K if DOJ determines that "a public filing would pose a substantial threat to public safety or national security." DOJ has made clear in their departmental guidelines on material cybersecurity incident delay determinations that the primary inquiry is whether the public disclosure of a cybersecurity incident—not the incident itself—threatens public safety or national security. In most cases, according to the guidelines, registrants will be able to publicly disclose material information at a "level of generality" that does not pose such risks.

The guidelines also offered examples of when a delay in reporting would be warranted, such as:

  • when the incident stems from exploitation of a technique for which there is not yet well-known mitigation, and disclosure of the incident could lead to more incidents;
  • when the incident impacts a system containing sensitive US government information (such as research and development performed pursuant to government contracts), such that disclosure could lead to further exploitation of that system; or
  • where the registrant is conducting remediation efforts for any critical infrastructure or critical system, and disclosure of the incident could impair those efforts.

The guidelines also contemplate situations where the government has more information about the incident than the registrant, and immediate disclosure by the registrant could compromise a government interest, such as its sources of information about the incident, an operation to disrupt ongoing illicit cyber activity (such as an asset seizure or infrastructure takedown), or the government's own remediation efforts directed at critical infrastructure. In those situations, a government agency might seek out the registrant's agreement to seek a delay in disclosure.

DOJ has tasked the FBI with taking in requests to delay reporting, conducting national security and public safety equities checks, and making recommendations for a decision back to DOJ. On December 6, 2023, the FBI issued a Policy Notice describing the process it will follow. Most significantly, a registrant must make its request for delay "concurrently" with the materiality decision, or else the FBI will deny the request. However, the DOJ and FBI encourage registrants to engage with the FBI directly or indirectly well before the completion of a materiality analysis. Accordingly, registrants may consider establishing and maintaining lines of communication and points of contact within the FBI, and also reporting significant incidents to the FBI prior to making a materiality decision, so that the request for delay is not the first occasion DOJ hears about the incident and appreciates its significance.

Through its CyWatch operations center, the FBI will consult with other government agencies to determine whether, in their view, public filing of the incident would pose a significant risk to national security or public safety. CyWatch will compile the information it receives and route it to a designated DOJ e-mail. For more detailed information about the FBI's process, see FBI's Guidance to Victims of Cyber Incidents on SEC Reporting Requirements.

After receiving the FBI's referral, DOJ may grant an initial notification delay of up to 30 business days if it determines that a substantial risk to national security or public safety exists, with the option of further delaying for an additional 30 days in "extraordinary circumstances." A registrant's request for an additional period of delay should be made at least five business days before the end of the initial period of delay and include "a description of the continued substantial risk that disclosure poses to national security or public safety and an estimate of the duration that such risk may last." DOJ can approve delay for an additional 60 business days due to substantial national security (but not public safety) risks. The SEC must issue an exemptive order for delays of more than 120 business days (or 60 days for incidents that solely relate to public safety).

Registrants interested in making a request to delay with the FBI should do so through their local FBI field offices. Requests made to the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency or Sector Risk Management Agencies will be forwarded to the FBI. The FBI has published guidance on the information registrants should include in a delay request, including: a detailed account of the incident (i.e., timing, suspected intrusion vectors, affected data or infrastructure, and any known operational impacts); information about the actor responsible, if known; and the status of remediation efforts. Registrants must provide the date and time (including time zone) of their determination of "materiality," so the FBI can verify that the delay request is being made "immediately upon determination."

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.