Corp Fin has just released some new CDIs, summarized below, relating to material cybersecurity incidents. As you know, in July, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure, which includes a requirement for material incident reporting on Forms 8-K and 6-K. Compliance with the 8-K and 6-K incident disclosure requirements will be required for all companies other than smaller reporting companies beginning on December 18, 2023. SRCs will have an additional 180 days deferral. (See this PubCo post.) The new CDIs can all be found under the caption Exchange Act Forms, in a new Section 104B, Item 1.05 Material Cybersecurity Incidents. Summaries are below, but each CDI number is linked to the CDI on the SEC website, so you can easily read the version in full.
Under the final rule, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the "material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations." The materiality determination regarding a cybersecurity incident must be made "without unreasonable delay" after discovery of the incident. To the extent that the required information has not been determined or is unavailable at the time of the required filing, the company is required to include a statement to that effect in the filing and then file an amendment to its Form 8-K containing that information within four business days after the company, without unreasonable delay, determines the information or the information becomes available.
In response to comments, the SEC adopted a provision allowing delayed filing for an initial 30 days where the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing. Further extensions of up to 120 days are possible; longer delays would require an SEC exemptive order. The SEC advises that the staff have consulted with the DOJ "to establish an interagency communication process to allow for the Attorney General's determination to be communicated to the Commission in a timely manner. The Department of Justice will notify the affected registrant that communication to the Commission has been made, so that the registrant may delay filing its Form 8-K." The release observes that this delay provision is separate from Exchange Act Rule 0-6, which prohibits disclosure of classified information, and would take precedence over these cybersecurity disclosure rules. But how will all this work in practice? These new CDIs, together with the Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), to which each of the CDIs refers, address some of those questions. The DOJ guidance is summarized in the SideBar below.
Item 1.05 Material Cybersecurity Incidents
- New Question 104B.01 A company may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the SEC of that determination in writing before the Form 8-K would otherwise be due. Merely requesting a delay does not change the company's filing obligation. If a company experiences a material cybersecurity incident and requests a determination of whether disclosure of the incident on Form 8-K poses a substantial risk, but the AG declines to make that determination or does not respond before the Form 8-K would otherwise be due, the company must still file the Form 8-K within four business days of its determination that the incident was material.
- New Question 104B.02 But if the company makes the same type of request and the AG determines that disclosure of the incident on Form 8-K would pose a substantial risk to national security or public safety and also notifies the SEC that disclosure should be delayed for the time period provided in Form 8-K Item 1.05(c), the company must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the AG. If the company subsequently requests an additional delay from the AG, but the AG declines or does not timely respond before the expiration of the current delay period, the deadline for the company to file the Form 8-K is still four business days after the expiration of the original delay period provided by the AG.
- New Question 104B.03 If, after a material cybersecurity incident, disclosure on Form 8-K is delayed for up to 30 days, as specified by the AG, but the AG subsequently determines, during the delay period, that disclosure of the incident no longer poses a substantial risk to national security or public safety and notifies the SEC and the company of this new determination, the company must file the Item 1.05 Form 8-K within four business days of the AG's notification to the SEC and the company. Here, Corp Fin refers companies specifically to "Changes in circumstances during a delay period" in the DOJ guidelines.
SideBar
The DOJ guidelines set forth in Department of Justice Material Cybersecurity Incident Delay Determinations outline the process that public companies, or federal agencies in coordination with companies, may use to request that the AG authorize delays of cyber incident disclosures required on Form 8-K.
Limited circumstances for finding a substantial risk to national security or public safety. The DOJ begins by drawing the distinction between whether the public disclosure of a cybersecurity incident threatens public safety or national security—which is the DOJ's inquiry in this context—and whether the incident itself poses a substantial risk to public safety and national security: "While cybersecurity incidents themselves frequently threaten public safety and national security, the disclosure to the public that those incidents have occurred poses threats less often," and can even be beneficial. In most cases, companies will be able to craft disclosure of the information required by Form 8-K "at a level of generality that does not pose a substantial risk to national security or public safety," but disclosure could pose a risk in some circumstances, which the DOJ expects to be limited to the following categories:
- "a) The cybersecurity incident occurred because the illicit cyber activities were reasonably suspected to have involved a technique for which there is not yet well-known mitigation—for example, exploiting a software vulnerability for which there is no patch or other reasonably available mitigation—and the disclosure required by Item 1.05 could lead to more incidents, thereby posing a substantial risk to national security or public safety.
- b) The cybersecurity incident primarily impacts a system operated or maintained by a registrant that contains sensitive U.S. Government information, or information the U.S. Government would consider sensitive, and public disclosure required by Item 1.05 would make that information and/or system vulnerable to further exploitation by illicit cyber activity, thereby posing a substantial risk to national security or public safety. This category includes systems operated or maintained for the government as well as systems not specifically operated or maintained for the government that contain information the government would view as sensitive, such as that regarding national defense or research and development performed pursuant to government contracts.
- c) The registrant is conducting remediation efforts for any critical infrastructure or critical system, and any disclosure required by Item 1.05(a) revealing that the registrant is aware of the incident would undermine those remediation efforts and thus pose a substantial risk to national security or public safety.
- d) The circumstances described below in Section 3 [procedure for a U.S. Government agency to follow when Item 1.05(c)'s exception might apply], after a government agency has made the registrant aware of them."
Procedures for companies to follow. If a company discovers a cybersecurity incident and believes that disclosure may pose a substantial risk to national security or public safety, the company should, directly through a dedicated email (to come) or otherwise, or through another federal agency (such as the Cybersecurity and Infrastructure Security Agency or the Secret Service) immediately contact the FBI consistent with reporting instructions the FBI has issued. (The FBI instructions spell out precisely the nature of the information that should be included in any request to the FBI.) The DOJ states the report should include a concise description of the facts indicating that disclosure would pose a substantial risk, "citing one or more of the categories described above. The most relevant facts will pertain to the potential consequences to national security or public safety that would result from a disclosure within the timeframe required by Item 1.05." The AG must "invoke the provision permitting a delay in disclosing an incident under the Commission rule within four business days of a determination by the registrant that the registrant has experienced a material cybersecurity incident. As such, it is important that the registrant provide to the FBI, directly or indirectly through another U.S. Government agency, information about a cybersecurity incident likely to meet the requirements for delayed disclosure as soon as possible, even beginning well before the registrant has completed its materiality analysis or its investigation into the incident." The FBI then documents the facts provided by the company as well as "findings from related FBI national security and public safety records, equity checks, and appropriate consultations with other U.S. Government agencies." In its referral to the DOJ of a delay request, the FBI will include an evaluation of whether Form 8-K public disclosure "within its prescribed timeframe would pose a substantial risk to national security or public safety."
Procedure for a U.S. Government agency to follow when Item 1.05(c)'s exception might apply. The guidelines also outline the procedures for U.S. Government agencies to follow should they become aware of a cybersecurity incident applicable to a company's information system and believe that a Form 8-K disclosure could pose a substantial risk to national security or public safety. In addition, the guidelines identify the types of scenarios that might lead such a recommending agency, rather than a company, to be aware of a substantial risk, such as when disclosure might reveal a confidential source, the government is planning an operation to disrupt the activity or the government is conducting remediation effort with regard to critical infrastructure.
Procedures after a determination. The DOJ has "sole discretionary authority to determine whether and how long a substantial risk to national security or public safety exists such that a delay in disclosure is necessary consistent with Item 1.05. When, after consultation with other agencies (such as USSS, CISA, or Sector Risk Management Agencies), the AG determines that disclosure would pose a substantial risk to national security or public safety, the DOJ will notify the SEC in writing, specifying a period for the delay, up to 30 days. The DOJ will also notify the recommending agency and the company. The AG's determination could apply to only part of the information, and the notification will indicate the scope of the information covered. If a delay is determined not to be necessary, the DOJ will inform the recommending agency and the company, where applicable.
Changes in circumstances during a delay period. The recommending agency should advise the company of the "ongoing need to apprise the recommending agency of any new or changed information relevant or potentially relevant to the national security or public safety risks of public disclosure that arises during the delay period." If the recommending agency determines that disclosure would no longer pose a substantial risk, it will immediately notify the DOJ through the FBI, and if the DOJ agrees that a delay in disclosure is no longer required, it will notify the recommending agency, the SEC and the company in writing.
Subsequent periods of delay. Form 8-K contemplates "a possible 'additional' period of up to 30 days, a possible 'final additional' period of delay of up to 60 days, and a possible further delay 'beyond the final 60-day delay.'" If, during an initial delay period, the recommending agency, the company or another U.S. Government agency assesses that the substantial risk from public disclosure will continue beyond the initial delay period, then they may make a request to the FBI for an "additional period" of delay "at least five business days before the end of the initial period of delay and include a description of the continued substantial risk that disclosure poses to national security or public safety and an estimate of the duration that such risk may last." The guidelines also describe the circumstances and procedures applicable for requests for the further delays.
Limited scope. In conclusion, the DOJ cautions that these guidelines are not all-encompassing and that there may be situations beyond Form 8-K where additional reporting may be legally required or advisable even if not required, whether to the SEC or to other government agencies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.