Corp Fin has just released some new CDIs, summarized below, relating to material cybersecurity incidents. As you know, in July, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure, which includes a requirement for material incident reporting on Forms 8-K and 6-K. Compliance with the 8-K and 6-K incident disclosure requirements will be required for all companies other than smaller reporting companies beginning on December 18, 2023. SRCs will have an additional 180 days deferral. (See this PubCo post.) The new CDIs can all be found under the caption Exchange Act Forms, in a new Section 104B, Item 1.05 Material Cybersecurity Incidents. Summaries are below, but each CDI number is linked to the CDI on the SEC website, so you can easily read the version in full.
Under the final rule, if a public company experiences a cybersecurity incident that the company determines to be material, the company is required to file a Form 8-K under new Item 1.05, describing the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The materiality determination regarding a cybersecurity incident must be made “without unreasonable delay” after discovery of the incident. To the extent that the required information has not been determined or is unavailable at the time of the required filing, the company is required to include a statement to that effect in the filing and then file an amendment to its Form 8-K containing that information within four business days after the company, without unreasonable delay, determines the information or the information becomes available.
In response to comments, the SEC adopted a provision allowing delayed filing for an initial 30 days where the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing. Further extensions of up to 120 days are possible; longer delays would require an SEC exemptive order. The SEC advises that the staff have consulted with the DOJ “to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the Commission in a timely manner. The Department of Justice will notify the affected registrant that communication to the Commission has been made, so that the registrant may delay filing its Form 8-K.” The release observes that this delay provision is separate from Exchange Act Rule 0-6, which prohibits disclosure of classified information, and would take precedence over these cybersecurity disclosure rules. But how will all this work in practice? These new CDIs, together with the Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), to which each of the CDIs refers, address some of those questions. The DOJ guidance is summarized in the SideBar below.
Item 1.05 Material Cybersecurity Incidents
- New Question 104B.01 A company may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the SEC of that determination in writing before the Form 8-K would otherwise be due. Merely requesting a delay does not change the company’s filing obligation. If a company experiences a material cybersecurity incident and requests a determination of whether disclosure of the incident on Form 8-K poses a substantial risk, but the AG declines to make that determination or does not respond before the Form 8-K would otherwise be due, the company must still file the Form 8-K within four business days of its determination that the incident was material.
- New Question 104B.02 But if the company makes the same type of request and the AG determines that disclosure of the incident on Form 8-K would pose a substantial risk to national security or public safety and also notifies the SEC that disclosure should be delayed for the time period provided in Form 8-K Item 1.05(c), the company must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the AG. If the company subsequently requests an additional delay from the AG, but the AG declines or does not timely respond before the expiration of the current delay period, the deadline for the company to file the Form 8-K is still four business days after the expiration of the original delay period provided by the AG.
- New Question 104B.03 If, after a material cybersecurity incident, disclosure on Form 8-K is delayed for up to 30 days, as specified by the AG, but the AG subsequently determines, during the delay period, that disclosure of the incident no longer poses a substantial risk to national security or public safety and notifies the SEC and the company of this new determination, the company must file the Item 1.05 Form 8-K within four business days of the AG’s notification to the SEC and the company. Here, Corp Fin refers companies specifically to “Changes in circumstances during a delay period” in the DOJ guidelines.