Most U.S. public companies are gearing up to prepare and file their annual reports (Forms 10-K) between February 29th and April 1st. This year’s preparations will be busier because the Regulations on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Cyber Risk Regulations) issued by the Securities and Exchange Commission’s (SEC) are now in force.
The Cyber Risk Regulations require that annual reports filed for fiscal years ending on or after December 15, 2023 include descriptions of the reporting company’s cyber risk management and strategy and cyber risk governance.
In brief, a reporting company must disclose in its annual report:
- processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.
- whether any risks from cybersecurity threats have or are reasonably likely to materially affect the reporting company’s business strategy, results of operations or financial condition and if so, how.
- the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats
A public company also must report to the SEC (via Item 1.05(a) Form 8-K) any material cybersecurity incident that occurs on or after December 18, 2023, and describe the nature, scope, timing and impact (or reasonably likely impact) of that material incident. The disclosure must occur within four (4) business days after the reporting company’s materiality determination. If information not available at the time of the materiality determination becomes available, the reporting company must subsequently amend Item 1.05 Form 8-K within four business days after the new information becomes available. In a December 14th statement, Erik Gerding, the SEC’s Director, Division of Corporation Finance, noted how using the “time-tested and familiar materiality standard” for cyber-risk – rather than a ”new bespoke standard” – is consistent with this overarching goal of consistent and comparable disclosure about other risks that public companies face.
December 2023 also brought some clarity about the process for requesting delayed disclosure of a material cybersecurity incident due to national security or public safety concerns under Item 1.05(c) of Form 8-K.
Item 1.05(c) states that “if the United States Attorney General determines that disclosure [of a material cybersecurity incident] poses a substantial risk to national security or public safety, and notifies the [SEC in writing], the registrant may delay providing the disclosure … for a time period specified by the Attorney General, up to 30 days following the date when the disclosure [was otherwise required] …”
Item 1.05(c) Form 8-K further allows for delayed disclosure (i) for up to 30 more days if the U.S. Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC in writing and (ii) “in extraordinary circumstances” for “a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies and notifies the SEC in writing. Thereafter, if the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and grant the request through an “exemptive order.”
On December 6, 2023, the Federal Bureau of Investigation (FBI) clarified procedures for processing a reporting company’s request for a material cybersecurity incident disclosure delay in its “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (FBI Policy Notice) and “Guidance to Victims of Cyber Incidents on SEC Reporting Requirements” (FBI Guidance). The following week, on December 12, 2023, the Department of Justice (DOJ) published its guidelines for Material Cybersecurity Incident Delay Determinations (DOJ Guidelines). Highlights follow.
FBI Guidance
The FBI Guidance explains how a reporting company may submit a reporting delay request to the FBI.
- The FBI receives, reviews and verifies the facts of all delay requests whether received via cyber_sec_disclosure_delay_referrals@fbi.gov or by referral from CISA, the Department of Defense, U.S. Secret Service or another federal law enforcement or sector risk management agency.
- The FBI will not process a delay request unless the FBI receives it “immediately upon a [reporting] company’s determination to disclose [via Form 8-K] a cyber incident”.
- Each delay request must include the following information:
- Name of reporting company;
- Date the cyber incident occurred;
- Date and time (including time zone) when the company determined the cyber incident required disclosure via Form 8-K;
- Whether the reporting company is already in contact with the FBI or another U.S. government agency regarding the incident, and if so, the name and contact information of the contacts at the FBI or other agency;
- Description of the incident including, at minimum, information regarding the incident type, known or suspected attack vectors, identified vulnerabilities, type of affected infrastructure/data, how the infrastructure/data was affected, and any known operational impact on the reporting company;
- Status of remediation or mitigation efforts;
- Address (street, city, and state) where the material cyber incident occurred;
- Primary contact at the reporting company with whom the FBI may discuss the delay request; and
- Whether the public company previously submitted a delay request, and if so, details about when the DOJ made its last delay determination(s), the grounds for the determination(s), and the timeline granted for the delay.
- After completing its verification, the FBI documents and refers suitable requests to the DOJ and assist with follow-up inquiries.
DOJ Guidelines
The DOJ Guidelines explain DOJ’s approach to making the determination described in Item 1.05(c) Form 8-K. That is, the DOJ’s role is determining whether the public disclosure of a cybersecurity incident threatens public safety or national security, rather than whether the cybersecurity incident poses a substantial risk to public safety and national security.
The DOJ Guidelines affirm the SEC position that prompt disclosure of materials cyber incidents generally benefits investors, public safety and national security but also carve out four general scenarios that may warrant delayed disclosure:
- A cyber incident that involves new techniques for which no well-known mitigation strategy is known, such as zero-day vulnerabilities that can be further exploited by other threat actors to harm others if publicized.
- A cyber incident affecting a system that contains information that the US Government would consider to be sensitive, such as systems operated by or maintained for the US Government that contain information regarding national defense.
- A cyber incident that is being remediated and that involved critical infrastructure or critical systems if public disclosure of the cyber incident would undermine remediation efforts.
- A cyber incident of which the U.S. Government becomes aware and submits a delay request to the DOJ.
- If the U.S. Government becomes aware of a cyber incident affecting a public company (of which the public company is not aware), it will consult with the FBI and other agencies, as appropriate, to determine whether to notify the affected public company, and submit a delay request to the DOJ. If the public company is notified, the agencies will work with the affected public company to determine the appropriate timeline for and content of an 8-K disclosure, and coordinate with the public company on any authorized reporting delays.
- If the U.S. Government becomes aware of ongoing illicit cyber activity and freezes or seizes information, assets, or infrastructure involved in the illicit cyber activity, or arrests an individual or individuals for illicit cyber activity, the DOJ will authorize a reporting delay if prompt disclosure would pose a demonstrable threat or impediment to the success of an operation to thwart illicit cyber activity.
- If the U.S. Government becomes aware of or is conducting remediation of any critical infrastructure or critical system affected by a cyber incident, and prompt 8-K disclosure would undermine remediation efforts and pose a substantial risk to national security or public safety, then the DOJ will authorize a reporting delay.
The DOJ must authorize a reporting delay within four (4) business days after the public company determines it experienced a material cybersecurity incident. Accordingly, the affected company must report a material cyber incident for which it is requesting a reporting delay to the FBI as soon as possible. The DOJ Guidelines acknowledge that this reporting may be required before the investigation and incident materiality analysis are complete. Although the DOJ has sole discretionary authority to determine whether and for how long to authorize a reporting delay, the DOJ will consult with other U.S. Government agencies (e.g., FBI, Secret Service, CISA, Sector Risk Management Agencies), as appropriate.
The DOJ will notify the public company and FBI concurrently of its determination, specifying the scope of information covered by the determination and the approved period of delay. In some instances, only part of a cyber incident is subject to a reporting delay, in which case the public company must promptly complete disclosure with information not covered by the DOJ’s determination.
If, at any point during the DOJ-approved reporting delay period, the recommending agency receives new or changed information indicating that a reporting delay is no longer required because the incident no longer poses a substantial threat to national security and/or public safety, the recommending agency must submit a notice to the DOJ via the FBI. The DOJ will consider the recommending agency’s new determination and will notify the recommending agency, the SEC, and the affected public company in writing of whether the DOJ has determined that the reporting delay is no longer warranted.
If the DOJ determines a reporting delay is no longer warranted, the DOJ may cancel the reporting delay authorization by written notice to the SEC, the affected public company and the recommending agency (as applicable). If the recommending agency disagrees with the DOJ’s determination, the recommending agency may seek reconsideration and provide additional information and supporting materials to the DOJ.
* * * *
Together, these publications provide some much needed clarity for companies – particularly those operating in critical infrastructures or that maintain sensitive government information. While more information about processes for requesting delayed disclosure of a material cybersecurity incident will not directly help with preparation of Form 10-K, a reporting company – particularly those likely to fall within any of the DOJ’s four scenarios – may wish to update internal procedures to include when and how delayed disclosures is permitted.