As detailed in our July 2023 GT Alert, the Securities and Exchange Commission (SEC) now requires public companies to file a Form 8-K and disclose a material cybersecurity incident within four days of determining the incident’s materiality. Form 8-K Item 1.05(c) includes an exception to the four-day requirement: where disclosure poses a substantial risk to national security or public safety. Disclosure of certain incidents can be delayed if approved by the attorney general. On Dec. 12, 2023, the Department of Justice (DOJ) released guidelines explaining what will be considered a national security or public safety risk, the process for notifying the government of such a risk, the delays available, and the implementation of delays.
Assessing an Incident for National Security Risk
The guidelines describe four categories of circumstances that could create a national security risk that merits delaying notification. The categories are:
- No or little-known mitigation: If the incident involved a technique for which there is not yet a well-known mitigation, disclosure could draw attention to an ongoing vulnerability, which could lead to further incidents.
- Protecting sensitive government information: If the system that was impacted contained sensitive U.S. government information and disclosure would make that information or system vulnerable to further exploitation.
- Disrupted remediation: If the system impacted by the incident involves critical infrastructure or a critical system and if disclosure required by Item 1.05 would disrupt the company’s remediation efforts by revealing they are aware of the incident.
- Government-detected vulnerability: If there is a national security or public safety threat that the government is aware of that has not been detected by the company, the government entity aware of the risk may notify the company and seek approval through the FBI to delay notification.
Timing of Reporting
The DOJ guidance cautions companies against waiting until a materiality analysis is complete to notify the government about a suspected national security risk. The guidance advises companies to provide the government with the relevant national security risk-related information as soon as possible.
If the company experiencing a breach suspects there is a national security risk posed by the 1.05 disclosure, it can secure government approval for a delay either by making a report directly to the FBI, which will process the report on behalf of DOJ, or through another U.S. government agency, which will bring the report to the FBI.
Length of Delay
If the attorney general invokes the provision permitting a delay based on one of the four categories listed above, the initial delay can be granted for up to 30 days. An additional 30-day delay may be granted, with an additional 60-day period available thereafter and an undefined period available after the 60-day period concludes.
Implementing the Delays
A delayed disclosure will not necessarily be granted for the incident as a whole. Where disclosure creates a risk with only certain elements of an incident, only disclosure related to those elements of the incidents will be included in the delay.
Takeaway
Companies experiencing a cybersecurity incident should immediately consider whether any of the four categories of national security or public safety risks applies. Early notification to the government, even before a materiality analysis has been completed, may help expedite a request for approval to delay public reporting.