The Crossroads of Cybersecurity and National Security: Delaying Disclosure of Incidents under the SEC's New Cybersecurity Rule

The SEC is keen on regulating this turbulent and fast-evolving environment—and equally prepared to enforce alleged violations. On October 30, 2023, the SEC announced unprecedented charges against not only SolarWinds but also its Chief Information Security Officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

In light of the SolarWinds enforcement action and other warning signs from the SEC, the pressure is on registrants to disclose timely and accurately. In this climate, registrants may be considering whether, in the event of an incident, they may be allowed to delay disclosure (i.e., extend the deadline to disclose) on national security or public safety grounds.

The answer, per recently released guidance from the DOJ, is very rarely. The DOJ listed a small number of circumstances where an extension will be considered and made it clear that such requests will not be granted in most cases. The bottom line is that unless the government does not want specific information disclosed publicly, such as a unique flaw in critical infrastructure that cannot be easily remediated, registrants must disclose within four business days.

Background: The SEC's Final Rules
As we discussed in a recent client alert, the Final Rules require registrants to:

• Disclose in Item 1.05 on Form 8-K "any cybersecurity incident they determine to be material" and to "describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations."
• Disclose the "materiality of an incident without unreasonable delay following discovery and, if the incident is determined [to be] material, file an Item 1.05 Form 8-K generally within four business days of such determination."
• Describe, under Regulation S-K Item 106, the processes by which registrants assess, identify and manage material risks from cybersecurity threats, as well as "whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant."
• Describe, under Regulation S-K Item 106, the "board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats."
• Foreign private issuers will be required to provide information on "material cybersecurity incidents" that they "make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders" in amended Form 6-K. Furthermore, under amended Form 20-F, foreign private issuers will be required to make "periodic disclosure comparable to that required" in new Item 106.

Item 1.05(c) creates an exception to the general disclosure requirement where the U.S. Attorney General determines that disclosure "poses a substantial risk to national security or public safety."

Key Points from the DOJ's Guidance
SEC registrants should not expect to receive an extension on their SEC cyber disclosure obligations from the DOJ. The crux of the DOJ's reasoning is that, in most cases, registrants' disclosures will be general enough so as to avoid any public safety or national security risks. And while there is no presumption of approval or denial when an extension request is received by the DOJ (meaning each request will be handled individually), the department has also made clear that only a very limited set of circumstances will potentially warrant any extension.

The DOJ outlined in its department guidelines when it might consider granting an extension. Specifically, it outlined the following limited circumstances:

• The cybersecurity incident involved a technique for which there is not yet well-known mitigation, and disclosure could lead to more incidents, posing a substantial risk to national security or public safety;
• The cybersecurity incident primarily impacts a system operated or maintained by a registrant that contains "sensitive U.S. Government information," and disclosure would make that system further vulnerable to attack. These systems may be maintained for the government, as well as systems containing information the government would consider sensitive, such as information regarding national defense or research and development performed pursuant to government contracts;
• The registrant is remediating critical infrastructure or systems, and disclosure revealing the registrant is aware of the incident would undermine that remediation and therefore pose a risk; and
• The government itself informed the registrant of an attack, and the registrant publicly disclosing that information would put confidential sources at risk, possibly disrupt operations to disrupt cyberattacks, or undermine ongoing remediation efforts in critical infrastructure or critical systems.

Delay Process and Considerations
Because the circumstances in which an extension will be granted are rare, the DOJ has committed to making a decision on whether to grant an extension within the four-business-day deadline for making an 8-K disclosure.

If a registrant believes the cybersecurity incident poses a substantial risk to national security or public safety, the registrant should immediately contact the FBI (either directly, or through the U.S. Secret Service, Cybersecurity and Infrastructure Agency, or sector risk management agencies), consistent with the reporting instructions the FBI has issued. The FBI is responsible for intaking delay requests on behalf of the DOJ. A registrant may want to notify the FBI even before it makes a materiality determination, as this will aid the FBI's quick review if the registrant determines it will seek a disclosure delay. Indeed, failure to report the cyber incident immediately upon the materiality determination will cause a delay request to be denied. Under the DOJ's guidance, the FBI refers the request to the DOJ with its own evaluation of whether a disclosure delay is merited.

If the DOJ believes disclosure of a cybersecurity incident pertaining to a registrant's information system would pose a national security or public safety risk, the government will determine whether to notify and coordinate with the registrant regarding disclosure or a delay request. The DOJ has sole authority to determine whether to grant an extension, but it makes its determination through the FBI in its consultation with other government agencies. If it determines a delay is warranted, the DOJ will notify the SEC in writing and will specify a period for the delay.

The initial delay period may be up to 30 days. Upon request, registrants may be allowed a possible "additional" period of up to 30 days, a possible "final additional" period of up to 60 days, and a possible further delay "beyond" that. These additional periods of delay are generally only appropriate where the risk is ongoing and, for a "final additional" delay, extraordinary.

The DOJ may also determine that delay is warranted only as to certain information, such as the nature or scope of the incident but not the timing of the incident. Of course, if the DOJ determines delay is not warranted at all, it will inform the registrant and the government, as applicable.

Recommendations
Given the minimal likelihood that the DOJ will grant a delay (and a full delay, at that), registrants should be prepared to make a disclosure (even if only in part) immediately upon receiving the DOJ's determination.

Registrants will want to consider the following best practices in connection with seeking disclosure delays:

• Do not count on an extension to delay disclosure. The biggest takeaway from the DOJ's guidance is that companies should not count on the ability to obtain government permission to delay disclosure on national security or public safety grounds. In the event of a denial, disclosure must be made promptly, and companies must be prepared to do so;
• Understand the details. If a registrant concludes it will request an extension, it must state its basis with specificity. As part of any delay request, registrants must be prepared to explain why specific language in an 8-K disclosure would trigger a national security or public safety risk. Information to be submitted to the DOJ must include details such as when the incident occurred, where the incident occurred, what kind of incident occurred, the known or suspected intrusion vectors, infrastructure or data affected, the operational impact on the company, confirmed or suspected attribution of the cyber actors responsible and the status of any remediation or mitigation efforts;
• Timing is critical. Because the DOJ will make its delay decision within four days of the registrant determining that an incident is material, registrants should submit delay requests as soon as possible. The drafting of any delay request should start before the company definitively determines to make the request. Given the stringent timelines, registrants may want to prepare a template filing to ensure timely consideration of a delay request; and
• Consult with experts. As we previously noted, directors and officers should be well-versed in understanding cyber risks. Registrants should also consult with counsel and information systems specialists to ensure they appropriately understand and describe the incident (whether in a delay request or in a disclosure).

As with any risk management approach, proactive compliance is key. Registrants, especially those whose information systems may implicate government infrastructure, should ensure they are equipped to promptly request a disclosure delay in the event of an incident—and, equally important, that they are ready to disclose that incident in the likely event their delay request is denied.