Starting December 18, 2023, SEC reporting companies will be required to disclose material cybersecurity incidents on Form 8-K unless the disclosure would, as determined by the U.S. Attorney General, “pose a substantial risk to national security or public safety.”
On December 12, the FBI and DOJ issued guidance to companies on (i) how to request a disclosure delay, (ii) what information must be included in delay requests, and (iii) how DOJ will review and decide delay requests.
One important takeaway from the FBI guidance is that “failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied.” In other words, the request must be made concurrently with the materiality determination and be submitted either by the victim or through the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency, or another sector risk management agency.
According to the FBI's Policy Notice, reporting delay requests will be reviewed and processed within a two-hour timeframe and the Attorney General must invoke the provision permitting a delay within four business days of the materiality determination by the registrant. Given the tight timing restraints, the DOJ guidance encourages registrants to contact the FBI as soon as possible.
Requests made directly to the FBI must go through a dedicated email address that was still forthcoming at the time of the release of the guidance.
Reporting companies should familiarize themselves with the required form and content of the delay requests and with the guidelines issued by DOJ describing how they will review and decide delay requests. Reporting companies should also keep in mind DOJ's criteria for granting a delay request is whether or not disclosure would pose a substantial risk to national security or public safety and not if the incident itself poses such a risk.