Alert 07.28.23
SEC Finalizes Long-Awaited Public Company Cybersecurity Disclosure Rules
Under the SEC’s rules, public companies that are subject to reporting requirements must promptly disclose material cybersecurity incidents.
Alert
Alert
01.12.24
The SEC's sweeping Cybersecurity Disclosure Final Rules put registrants on a tight deadline—just four business days to disclose material cybersecurity incidents.
The SEC is keen on regulating this turbulent and fast-evolving environment—and equally prepared to enforce alleged violations. On October 30, 2023, the SEC announced unprecedented charges against not only SolarWinds but also its Chief Information Security Officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
In light of the SolarWinds enforcement action and other warning signs from the SEC, the pressure is on registrants to disclose timely and accurately. In this climate, registrants may be considering whether, in the event of an incident, they may be allowed to delay disclosure (i.e., extend the deadline to disclose) on national security or public safety grounds.
The answer, per recently released guidance from the DOJ, is very rarely. The DOJ listed a small number of circumstances where an extension will be considered and made it clear that such requests will not be granted in most cases. The bottom line is that unless the government does not want specific information disclosed publicly, such as a unique flaw in critical infrastructure that cannot be easily remediated, registrants must disclose within four business days.
Background: The SEC's Final Rules
As we discussed in a recent client alert, the Final Rules require registrants to:
Item 1.05(c) creates an exception to the general disclosure requirement where the U.S. Attorney General determines that disclosure "poses a substantial risk to national security or public safety."
Key Points from the DOJ's Guidance
SEC registrants should not expect to receive an extension on their SEC cyber disclosure obligations from the DOJ. The crux of the DOJ's reasoning is that, in most cases, registrants' disclosures will be general enough so as to avoid any public safety or national security risks. And while there is no presumption of approval or denial when an extension request is received by the DOJ (meaning each request will be handled individually), the department has also made clear that only a very limited set of circumstances will potentially warrant any extension.
The DOJ outlined in its department guidelines when it might consider granting an extension. Specifically, it outlined the following limited circumstances:
Delay Process and Considerations
Because the circumstances in which an extension will be granted are rare, the DOJ has committed to making a decision on whether to grant an extension within the four-business-day deadline for making an 8-K disclosure.
If a registrant believes the cybersecurity incident poses a substantial risk to national security or public safety, the registrant should immediately contact the FBI (either directly, or through the U.S. Secret Service, Cybersecurity and Infrastructure Agency, or sector risk management agencies), consistent with the reporting instructions the FBI has issued. The FBI is responsible for intaking delay requests on behalf of the DOJ. A registrant may want to notify the FBI even before it makes a materiality determination, as this will aid the FBI's quick review if the registrant determines it will seek a disclosure delay. Indeed, failure to report the cyber incident immediately upon the materiality determination will cause a delay request to be denied. Under the DOJ's guidance, the FBI refers the request to the DOJ with its own evaluation of whether a disclosure delay is merited.
If the DOJ believes disclosure of a cybersecurity incident pertaining to a registrant's information system would pose a national security or public safety risk, the government will determine whether to notify and coordinate with the registrant regarding disclosure or a delay request. The DOJ has sole authority to determine whether to grant an extension, but it makes its determination through the FBI in its consultation with other government agencies. If it determines a delay is warranted, the DOJ will notify the SEC in writing and will specify a period for the delay.
The initial delay period may be up to 30 days. Upon request, registrants may be allowed a possible "additional" period of up to 30 days, a possible "final additional" period of up to 60 days, and a possible further delay "beyond" that. These additional periods of delay are generally only appropriate where the risk is ongoing and, for a "final additional" delay, extraordinary.
The DOJ may also determine that delay is warranted only as to certain information, such as the nature or scope of the incident but not the timing of the incident. Of course, if the DOJ determines delay is not warranted at all, it will inform the registrant and the government, as applicable.
Recommendations
Given the minimal likelihood that the DOJ will grant a delay (and a full delay, at that), registrants should be prepared to make a disclosure (even if only in part) immediately upon receiving the DOJ's determination.
Registrants will want to consider the following best practices in connection with seeking disclosure delays:
As with any risk management approach, proactive compliance is key. Registrants, especially those whose information systems may implicate government infrastructure, should ensure they are equipped to promptly request a disclosure delay in the event of an incident—and, equally important, that they are ready to disclose that incident in the likely event their delay request is denied.