DOJ, FBI Issue Guidance for Public Companies Seeking to Delay Disclosure of Material Cybersecurity Incidents

As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Rule"). The Rule requires, among other things, that public companies disclose "material" cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers). Item 1.05 of Form 8-K must include the "material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations," and the form must be filed within four business days of determining that an incident is material. The Rule permits companies to delay disclosure beyond four business days only where the U.S. Attorney General determines that disclosure "would pose a substantial risk to national security or public safety." The Rule's cyber incident disclosure requirements go into effect on December 18, 2023.

The SEC's Rule provided no details on how a company could request that the Attorney General grant a disclosure delay or how approval of such a request would be communicated to the requesting company or the SEC. The Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) now have issued guidance providing these details. The DOJ issued departmental guidelines (DOJ Departmental Guidelines) setting forth how it will review and decide delay requests, and the FBI has issued a Policy Notice outlining the intake process for delay requests along with a summary of that notice and Guidance to Victims of Cyber Incidents on SEC Reporting Requirements (FBI Guidance).

Under the SEC's Rule, disclosure initially may be delayed for a time period specified by the Attorney General, but only up to 30 days. Disclosure may be delayed for an additional 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety. A further 60-day delay may be granted, but only "in extraordinary circumstances" due to substantial national security (but not public safety) risks. Any delay beyond that final 60-day period (120 days total) would have to be approved by an exemptive order from the SEC.[1]

Public companies should review carefully the DOJ Departmental Guidelines and the FBI Guidance and Policy Memo before seeking a delay in disclosure. The FBI also recommends that public companies establish a relationship with the cyber squad at their local FBI field office, which can be vital for timely obtaining delays for incident reporting requirements (whether under the SEC's Rule, state laws, or otherwise) and requesting assistance and intelligence when responding to cyber-attacks.

Overview of the DOJ and FBI Guidance

The DOJ Departmental Guidelines make clear that exceptions will be granted only in very limited circumstances. Those guidelines emphasize that the question for the DOJ is not whether the cybersecurity incident poses a substantial risk to national security or public safety, but rather whether disclosure of the incident in accordance with the SEC Rule poses such risk. The DOJ Departmental Guidelines identify only six scenarios where it expects the risk of public disclosure would justify a disclosure delay:

• Where a cybersecurity incident that involves the use of malicious technique for which there is not yet a well-known mitigation—for example, the exploitation of a software vulnerability for which no patch yet exists, such that disclosure of the vulnerability could lead to more incidents;
• Where a cybersecurity incident impacts a system operated or maintained by a company that contains sensitive U.S. government information or other information the government considered sensitive, and where disclosure could make the system or the information vulnerability to further exploitation;
• Where the public company is conducting remediation on any critical infrastructure or critical system, and where public disclosure would undermine that remediation by informing the attackers that the public company is aware of incident;
• Where the U.S. government is aware of or conducting remediation on any critical infrastructure or critical system, and where public disclosure would undermine remediation by revealing that the public company is aware of the incident;
• Where disclosure would risk revealing a confidential source, information relating to national security, or law enforcement sensitive information;
• Where the U.S. government is prepared to execute, or is aware of, an operation to disrupt ongoing illicit cyber activity that poses a substantial risk to national security or public safety, and where public disclosure would pose a demonstrable threat or impediment to the success of that operation.

Where a federal agency becomes aware of a cybersecurity incident and believes that public disclosure of that incident may pose a substantial risk to national security or public safety (for example, in the last three scenarios listed above), the DOJ Departmental Guidelines state that the agency should consider notifying the affected public company and coordinate submission of a delay request.

The DOJ and FBI materials establish the FBI as principally responsible for fielding disclosure delay requests from public companies. Upon receipt of a request, the FBI must refer the request to the Department of Justice (DOJ) for review and adjudication. Requests to delay disclosure of a material cybersecurity incident must be made "immediately" upon the requesting company's determination that the cybersecurity incident is "material" within the meaning of the SEC's Rule.[2] The SEC Rule requires that a company's materiality determinations be made "without unreasonable delay" after discovery of the cybersecurity incident.

The DOJ Departmental Guidelines advise companies requesting a delay provide a "concise description of the facts forming the basis" for the company's belief that disclosure of the information required by the SEC Rule may pose a substantial risk to national security or public safety. The company requesting the delay should focus its request on establishing the potential consequences to national security or public safety that would result from disclosure of the information required to be listed in Item 1.05 of Form 8-K.

According to the FBI's Policy Notice, a reporting delay request will be reviewed and processed within a two-hour timeframe. In that two-hour window, the FBI anticipates completing the following tasks, among others:

• Verifying the request is being made by a publicly traded company that has experienced a cybersecurity incident;
• Verifying the request is being made concurrently with the public company determining that the cybersecurity incident is material.
• Conducting initial record checks of FBI systems for information specifically related to the incident.
• Referring the request to DOJ for adjudication, if the request meets the above criteria.

According to the FBI Guidance, if the requester is not a publicly traded company or if the request was not made concurrently with the materiality determination, then FBI personnel are directed to not process the request.

The DOJ and FBI materials indicate that submission of a delay request does not toll the SEC Rule's four-business-day disclosure deadline. Both the DOJ and FBI encourage covered entities to engage with the FBI on a delay request as soon as possible—potentially even before the company has completed its investigation or determined that the cybersecurity incident is material. Companies that submit a delay request should concurrently prepare to disclose the cybersecurity incident on a Form 8-K in the event that the Attorney General denies the request. The FBI Guidance states that a company's decision to engage with the FBI or other agency on a potential delay request does not constitute a decision by the company that the incident is in fact material.

The DOJ Disclosure Guidelines note that the Attorney General may partially grant a delay request. For instance, the Attorney General may determine that while disclosure of the incident overall does not pose a significant risk to national security or public safety, disclosure of specific information required by Item 1.05 of Form 8-K (for example, the timing of the incident) could pose such a risk and therefore may be delayed. Companies are also required to share any new or changed information relevant or potentially relevant to the national security or public safety risks of public disclosure that arises during the delay period.

Steps Required to Request a Cyber Incident Reporting Delay from Law Enforcement

The FBI Guidance includes instructions on how to submit a disclosure delay request and list of required information. To request a disclosure delay, companies must send an email to a dedicated FBI email address (to be announced) or submit the request through the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency, the Department of Defense, or another sector risk management agency.[3]

According to the FBI Guidance, a delay request must include all of the following information:

• Name of the company;
• Date when the cyber incident occurred;
• Date when the company determined that the cyber incident was material under the SEC's regulations. Companies must also include the date, time, and time zone;
• Whether the company is already in contact with the FBI regarding this incident, including the names and field offices of the FBI points of contact;
• A description of the cyber incident in detail which includes, at a minimum:
  • What type of incident occurred;
  • Whether there are known or suspected intrusion vectors;
  • What infrastructure of data were affected (if any) and how they were affected;
  • What the operations impact on the victim company is, if known;
• Whether there are any confirmed or suspected attribution of the cyber actors responsible for the incident;
• The current status of any remediation or mitigation efforts;
• The location where the cyber incident occurred, including the street address, city, and state;
• The company's points of contact for reporting the cyber incident and requesting a delay; and
• Whether the company previously submitted a delay referral request, or if this is the first time. If a delay request was previously submitted, the company needs to include:
  • Details about when the DOJ made its last determination(s);
  • The grounds for the determination; and
  • How long a delay was granted (if applicable).

DWT's privacy and security team will continue to monitor the SEC's enforcement of the Rule and the Attorney General's implementation of delay request process.