FBI, DOJ, and SEC Publish Guidance on Requesting Delayed Reporting of Item 1.05, Material Cybersecurity Incidents, on Form 8-K
January 11, 2024
On July 26 2023, the Securities and Exchange Commission (SEC) adopted final rules intended to enhance and standardize disclosures of cybersecurity risk management, strategy, governance, and incident reporting by public companies. One such update included amendments to Form 8-K to add new Item 1.05, requiring companies to report material cybersecurity incidents within four days of determining an incident is material. On December 18, 2023, the SEC Form 8-K Item 1.05 cybersecurity incident reporting rules (the “Item 1.05 Rules”) became effective.
The Item 1.05 Rules permit companies subject to them to request delayed disclosure where disclosure poses a substantial risk to national security or to public safety. In light of this, the Federal Bureau of Investigation (FBI), the Department of Justice (DOJ), and the SEC have all released their own guidance on the process by which companies may request this delay along with how delay determinations will be made by authorities. When a company experiences a cybersecurity incident and believes that incident may qualify for delayed disclosure that company should act promptly to request delayed disclosure. Neither the request for delayed disclosure nor the time it takes for the government’s consideration of that request will toll the four business day period that the company has to file an Item 1.05 Rules disclosure.
FBI Guidance on Delay Requests for 8-K Item 1.05 Reporting
The DOJ has designated the FBI as responsible for taking requests for Item 1.05 Rules disclosure delays. On December 6, 2023, the FBI released its guidance on the process by which companies can request a determination as to whether an Item 1.05 Rules disclosure delay request should be granted. The FBI may receive such requests from an affected company itself, the Cybersecurity and Infrastructure Agency (CISA), or other government agencies. To determine whether a disclosure delay is warranted the FBI will review the following:
- The time of the incident and the materiality determination;
- The type of incident that occurred;
- Suspected or known vulnerabilities leveraged by an intruder;
- Confirmed or suspected attribution of the responsible cyber actors; and
- Remediation status.
The FBI will ultimately determine whether an Item 1.05 Rules disclosure within the required four days would pose a threat to national security or public safety. If the FBI determines this type of threat is credible to a particular cybersecurity incident, it may refer the disclosure delay request to the DOJ. At the DOJ, the Attorney General (AG) then issues a final determination as to whether the company may delay its disclosure per Item 1.05 Rules. The DOJ process is explained in following section.
DOJ Guidance on Delay Requests for 8-K Item 1.05 Reporting
On December 12, 2023, the DOJ published its guidelines on the process companies subject to the Item 1.05 Rules, or U.S. Government agencies in coordinating with such companies, may use to request the DOJ to authorize delays for required cyber incident disclosures. In its guidance, the DOJ emphasizes that there are limited circumstance for finding a substantial risk to national security or public safety which is necessary for a company to receive approval of its delay requests.
If a Cybersecurity Incident May Pose Substantial Risk to National Security or Public Safety
When a company believes request for disclosure delay is necessary
When a company believes a cybersecurity incident it experiences may pose a substantial risk to national security or public safety, the company should, directly or through another U.S. Government agency (an “Agency”), contact the FBI consistent with reporting instructions issued by the FBI as explained above. If the FBI provides a referral of a delay request to the DOJ, the referral will include an evaluation of whether the disclosure within the Item 1.05 Rules prescribed timeframe would pose substantial risk to national security or public safety. In requesting delay, the company should provide a concise description of facts forming the basis of the company’s belief that disclosure may pose substantial risk to national security or public safety. The description should refer to one of the following circumstances where disclosure of any information required by Item 1.05 Rules could pose such risk:
- The cybersecurity incident occurred due to illicit cyber activities reasonably suspected to involve a technique with no well-known mitigation for it and disclosure could lead to more incidents;
- The cybersecurity incident primarily impacts a system operated or maintained by a company containing sensitive U.S. Government information, or information the U.S. Government would consider sensitive, and public disclosure would make that information and/or system vulnerable to further exploitation by illicit cyber activity;
- This includes systems operated or maintained for the government and systems not specifically operated or maintained for the government containing information the government would view as sensitive.
- The company is conducting remediation efforts for critical infrastructure or critical systems, and disclosure revealing the company is aware of the incident would undermine those remediation efforts; or
- Circumstances where an Agency, rather than a company, is likely to be aware of a substantial risk to national security or public safety and the agency has made the company aware.
Upon the company providing its description, the AG must invoke the provision permitting a delay in disclosing an incident within four business days of a determination by the company that the company has experienced a material cybersecurity incident.
When a U.S. Government agency believes request for disclosure delay is necessary
Further to circumstances where an Agency, rather than a company, is likely to be aware a substantial risk to national security or public safety, the DOJ guidance addresses this in more detail. The DOJ’s guidance also provides scenarios where a recommending Agency, rather than a company, is likely to be aware of a substantial risk to national security and public safety. When an Agency becomes aware of a cybersecurity incident pertaining to a company’s information systems and believes disclosure poses a substantial risk to national security or public safety, that Agency should, in consultation with the FBI and other agencies as appropriate, determine whether the government should notify and coordinate with the company to determine timing and content of information the company plans to disclose and whether the company would agree to a delayed disclosure if the AG makes the necessary determination. If both the delay is believed to be warranted and is agreed to by the company, the Agency should
- contact the DOJ through the FBI;
- communicate the relevant facts;
- explain why a delay is appropriate; and
- recommend a period for delay.
The DOJ has sole discretionary authority to determine whether and how long a substantial risk to national security or public safety exists such that delayed disclosure is necessary. To make its determination, the DOJ, through the FBI, will consult with other relevant agencies as appropriate. When the AG determines disclosure of all or part of the information required by Item 1.05 Rules poses substantial risk to national security or public safety, the DOJ will notify the SEC of such determination in writing specifying a period for delay of up to 30 days. The DOJ will also notify the recommending Agency and the company of the determination, including the scope of the information covered by the determination and the period of delay. If the DOJ determines a delay is unwarranted, it will inform the recommending Agency and the company. If the company disagrees with the DOJ’s determination either way, the company should inform the DOJ and provide additional information or supporting material.
The DOJ’s guidance goes on to provide specifics on the following discrete topics:
- Changes in circumstances during a delay period
- Subsequent periods of delay
- Additional periods of delay after initial delay
- Final additional periods of delay
- Periods beyond the final 60-day delay
- The DOJ guidance’s limited scope
SEC Guidance on Delay Requests for 8-K Item 1.05 Reporting
The SEC provided its guidance on Item 1.05 Rules disclosure delay requests in the form of a Compliance and Disclosure Interpretations (C&DIs) release last updated December 14, 2023, and specifically in Section 104B of this release. This guidance is in the form of questions and answers addressing the Item 1.05 Rules.
Key takeaways from the questions and answers provided in Section 104B are provided below.
- A company may delay providing Item 1.05 Rules disclosures if the AG determines that disclosure would pose substantial risks to national security or public safety and notifies the SEC as such in writing before the Item 1.05 Rules disclosure deadline of within four business days.
- If a company receives a delay per its request, the company must file an Item 1.05 Rules disclosure within four business days of the expiration of the delay period provided by the AG.
- If, during a permitted delay, the AG determines that disclosure of the incident no longer poses substantial risk to national security or public safety, the company must file, per Item 1.05 Rules, within four business days of the AG’s notification to the SEC and the company that disclosure no longer poses this risk.
- The sole fact that a company consults with the DOJ regarding availability of delay for disclosure will not result in a determination that an incident is material and therefore subjecting the incident to the Item 1.05 Rules reporting requirements.
Paul Hastings attorneys will continue to monitor these and other developments as we support our privacy and cybersecurity clients. If you have any questions, please do not hesitate to contact any member of our team.