{"id":2814,"date":"2023-12-15T09:18:33","date_gmt":"2023-12-15T14:18:33","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2814"},"modified":"2023-12-15T09:18:37","modified_gmt":"2023-12-15T14:18:37","slug":"cybersecurity-disclosures-sec-and-fbi-guidance","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/cybersecurity-disclosures-sec-and-fbi-guidance\/","title":{"rendered":"Cybersecurity Disclosures \u2013 SEC and FBI Guidance"},"content":{"rendered":"<p>When the SEC issued its new cybersecurity disclosure <a href=\"https:\/\/www.sec.gov\/files\/rules\/final\/2023\/33-11216.pdf\">Final Rule<\/a>, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents.\u00a0 You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this <a href=\"https:\/\/seciblog.pli.edu\/sec-adopts-new-cybersecurity-rules\/\">blog post<\/a>.<\/p>\n<p>One of the complex issues in the 1.05 Form 8-K is this instruction:<\/p>\n<p style=\"padding-left: 40px;\">(c) Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph(a)of this Item1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.<\/p>\n<p>The FBI has established a process to request such disclosure delays on this webpage: <a href=\"https:\/\/www.fbi.gov\/investigate\/cyber\/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements\">FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements<\/a>.\u00a0 Interestingly, the guidance suggests that companies establish a relationship with the cyber squad at their local field office.\u00a0 It also notes that \u201cdelay requests won&#8217;t be processed\u202funless\u202fthey are received by the FBI\u00a0immediately\u202fupon a company\u2019s determination to disclose a cyber incident via 8k.\u201d<\/p>\n<p>On December 14, 2023, CorpFin issued <a href=\"https:\/\/www.sec.gov\/divisions\/corpfin\/guidance\/8-kinterp.htm#104b.01\">four new Compliance and Disclosure Interpretations in Section 104B<\/a> (C&amp;DIs) that address questions about the delay process.\u00a0 The new C&amp;DIs address issues including what a company should do if it contacts the Attorney General, but a determination is not made by the original due date for the Form 8-K.\u00a0 In this situation, the 8-K must be filed by its original due date.\u00a0 The C&amp;DIs also clarify that consulting with the Department of Justice about a cyber security incident does not create a presumption that the incident is material.<\/p>\n<p>To provide additional support for companies as they work to provide required cyber security disclosures, on December 14, 2023, CorpFin Director Eric Gerding published this <a href=\"https:\/\/www.sec.gov\/news\/speech\/gerding-cybersecurity-disclosure-20231214\">Speech<\/a> providing an overview of the new rules and specific thoughts about the cybersecurity incident disclosures on Form 8-K and the cybersecurity governance and risk management disclosures required in new Item 1C for Form 10-K.\u00a0 In his speech Director Gerding states:<\/p>\n<p style=\"padding-left: 40px;\">\u201cBut I want to reassure companies and their representatives that our Division does not seek to make \u2018gotcha\u2019 comments or penalize foot faults.\u00a0 To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs.\u201d<\/p>\n<p>As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When the SEC issued its new cybersecurity disclosure Final Rule, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents.\u00a0 You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this blog post. One of the complex issues in the 1.05 Form &hellip; <a href=\"https:\/\/seciblog.pli.edu\/index.php\/cybersecurity-disclosures-sec-and-fbi-guidance\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Cybersecurity Disclosures \u2013 SEC and FBI Guidance<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[143,242],"tags":[],"coauthors":[154],"class_list":["post-2814","post","type-post","status-publish","format-standard","hentry","category-hot-topic","category-reporting"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=2814"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2814\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=2814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=2814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=2814"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=2814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}