DOJ & FBI Issue New Guidelines for Delayed Reporting of Cyber Incidents to the SEC
At a Glance
- On the heels of the SEC’s new cybersecurity rule, the DOJ and FBI each released information about how public companies can request delaying public disclosure of material cybersecurity incidents.
- Public companies can seek a delay of disclosure for incidents that pose a substantial risk to national security or public safety.
- Requests, which must be sent to the FBI, are likely to be granted only in limited circumstances.
Under the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule (cybersecurity rule), public companies subject to the cybersecurity rule must promptly disclose any “material cybersecurity incident.” Such reporting can be delayed if the U.S. attorney general determines that disclosure “poses a substantial risk to national security or public safety.”
On December 6, 2023, the Federal Bureau of Investigation (FBI) issued a policy notice outlining procedures for public companies to request cybersecurity incident disclosure delays. Further, the U.S. Department of Justice (DOJ) on December 12, 2023, issued departmental guidelines setting forth how it will review and decide delay requests. This article highlights these recent developments, underscoring the significance of adopting a proactive compliance approach to satisfy the reporting requirements of the cybersecurity rule.
Delay Request Procedures
Under both the FBI’s policy notice and the DOJ’s departmental guidelines, the FBI is tasked with handling delay referral requests, coordinating checks of national security and public safety equities, and reporting outcomes to the DOJ, which makes the final delay determination.
According to the DOJ, public company registrants should report incidents to the FBI “as soon as possible, even beginning well before the registrant has completed its materiality analysis or its investigation into the incident.” This may pose a dilemma for some companies that may be faced with the decision to seek a delay before sufficient information is known to assess the scope and severity of a known or suspected cybersecurity incident.
The policy notice establishes roles, responsibilities and procedures for FBI personnel, including the intake of delay referral requests, coordination of equity checks, documentation in the FD-1219 form “Federal Bureau of Investigation 8-K Cyber Delay Referral Form,” and submission to the DOJ. The policy notice applies to all FBI personnel involved in processing delay referral requests from cyber incident victims. There are no exemptions, and it covers requests made whether the FBI is already aware of the incident or not.
The policy notice outlines a detailed process for handling delay referral requests, including verification criteria, record checks, drafting FD-1219 forms, and assigning responsibilities to field offices and operational desk program managers. Approval of FD-1219 forms involves multiple law enforcement stakeholders, and ongoing and nimble communication with these stakeholders is crucial for timely processing of delay referral requests.
DOJ Delay Determinations
The DOJ guidelines, for their part, make clear that disclosure delays will only be granted in “limited circumstances.” In the department’s view, “prompt public disclosure of relevant information about a cybersecurity incident provides an overall benefit for investors, public safety, and national security.”
As a guiding principle, DOJ distinguishes between public disclosure of a cybersecurity incident that threatens public safety or national security, and whether the incident itself poses a substantial risk to public safety and national security. In certain circumstances public disclosure of the incident should be delayed, such as when the cybersecurity incident is reasonably suspected to involve a technique for which there is not yet well-known mitigation, such as a zero-day software vulnerability. Additionally, incidents that primarily impact systems operated containing sensitive U.S. government information or critical infrastructure systems might also be candidates for disclosure delay.
DOJ’s guidelines also address situations when a U.S. government agency becomes aware of a cybersecurity incident affecting a public company that poses a substantial risk to national security or public safety, including whether the public company should be notified of the incident and whether disclosure decisions should be coordinated with the company. For example, in some situations the government might learn of an incident through confidential sources or be involved in an operation to disrupt illicit cyber activity. To the extent that the public company becomes aware of such activity, the DOJ guidelines appear to give the company — rather than the government — the discretion of whether to seek a disclosure delay. In practice, most companies would likely seek a delay if the U.S. government informed the company that disclosure would threaten national security or public safety.
The DOJ, under certain circumstances, can allow delays of up to 30, 60 or 120 business days, depending on the nature of the threat. Delays exceeding these limits require an exemptive order from the SEC.
Conclusion
Prompt and transparent reporting is vital for good corporate governance; yet in certain cases, seeking a delay in reporting a material cybersecurity incident can be a prudent strategy. Strict compliance with the outlined procedures is essential for timely and lawful handling of cybersecurity incident public disclosure delay requests in such situations. Seek legal advice from a knowledgeable law firm to navigate these intricate regulatory requirements and ensure the protection of both business and public interests.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.