When the SEC issued its new cybersecurity disclosure Final Rule, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents.  You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this blog post.

One of the complex issues in the 1.05 Form 8-K is this instruction:

(c) Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph(a)of this Item1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.

The FBI has established a process to request such disclosure delays on this webpage: FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements.  Interestingly, the guidance suggests that companies establish a relationship with the cyber squad at their local field office.  It also notes that “delay requests won’t be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.”

On December 14, 2023, CorpFin issued four new Compliance and Disclosure Interpretations in Section 104B (C&DIs) that address questions about the delay process.  The new C&DIs address issues including what a company should do if it contacts the Attorney General, but a determination is not made by the original due date for the Form 8-K.  In this situation, the 8-K must be filed by its original due date.  The C&DIs also clarify that consulting with the Department of Justice about a cyber security incident does not create a presumption that the incident is material.

To provide additional support for companies as they work to provide required cyber security disclosures, on December 14, 2023, CorpFin Director Eric Gerding published this Speech providing an overview of the new rules and specific thoughts about the cybersecurity incident disclosures on Form 8-K and the cybersecurity governance and risk management disclosures required in new Item 1C for Form 10-K.  In his speech Director Gerding states:

“But I want to reassure companies and their representatives that our Division does not seek to make ‘gotcha’ comments or penalize foot faults.  To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs.”

As always, your thoughts and comments are welcome!