The big picture: The SEC has released new rules around the timing and filing of Form 8-K for reporting material cybersecurity incidents that could pose a substantial risk to national security or public safety.
Why it matters: The new rules require organizations registered with the SEC to provide required cybersecurity incident disclosure within four days of the determination that the incident is material.
Yes, but: Companies can seek a delay in submitting Form 8-K by requesting that the U.S. Attorney General determine that the disclosure poses a substantial risk to national security or public safety.
What’s next? Organizations should have as part of their incident response plans a provision for notifying and coordinating with relevant law enforcement agencies as needs arise and circumstances dictate.
The U.S. Securities and Exchange Commission (SEC) Division of Corporation Finance has provided further clarity and guidance for companies regarding rules around timing and filing of the new Form 8-K for reporting material cybersecurity incidents.
The new rules (Section 104B. Item 1.05 Material Cybersecurity Incidents), which took effect on December 18, require public companies to provide the required cybersecurity incident disclosure within four business days following the determination that the incident is material (not four business days after the incident occurred or is discovered).
Of particular note, the provision also includes guidance for when a delay beyond the four-business-day deadline would be permissible or would not be permissible. In short, companies can seek a delay in submitting Form 8-K by requesting that the U.S. Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety.
Note that requesting a delay does not change the original four-day filing obligation. Only after the Attorney General makes the determination and notifies the SEC that disclosure should be delayed is the deadline extension granted.
The SEC also recognized that the information required in Item 1.05(a) of Form 8-K may not yet be determined or may be unavailable at the time of the required filing and included a mechanism in the final rule for the company to provide the missing information in a subsequent filing.
By way of background, the SEC adopted amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies on July 26, 2023. The adopted amendments increased reporting and disclosure requirements for companies registered with the SEC. (Read our Flash Report for a summary of the SEC’s adopted amendments.)
This newly released guidance provides further information to organizations wondering, for example, if they are still required to make a disclosure even if it may pose a threat to national security or public safety.
In Summary
A particular concern of these new rules for organizations is the window of four business days for reporting cyber-related incidents. For these regulations, the reporting window begins once an unexpected incident is evaluated to be material in nature, subject to relief permitting certain filing delays due to risks to national security or public safety.
The potential for national security concerns and specific situations demands that organizations have as part of their incident response plans a provision for notifying and coordinating with relevant federal law enforcement agencies, specifically the U.S. Attorney General, as needs arise and circumstances dictate.
In closing, we will continue to monitor developments in this space and will publish another blog whenever the SEC issues interpretive guidance on specific points related to its cyber disclosure rules.
Read additional posts on The Protiviti View related to the SEC.