The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

SEC Gives Guidance on Permitted Cyber Incident Filing Delays on Material Events

Views
Laptop computer open and on at night
Larger Font
2 minutes to read

The big picture: The SEC has released new rules around the timing and filing of Form 8-K for reporting material cybersecurity incidents that could pose a substantial risk to national security or public safety.

Why it matters: The new rules require organizations registered with the SEC to provide required cybersecurity incident disclosure within four days of the determination that the incident is material.

Yes, but: Companies can seek a delay in submitting Form 8-K by requesting that the U.S. Attorney General determine that the disclosure poses a substantial risk to national security or public safety.

What’s next? Organizations should have as part of their incident response plans a provision for notifying and coordinating with relevant law enforcement agencies as needs arise and circumstances dictate.

The U.S. Securities and Exchange Commission (SEC) Division of Corporation Finance has provided further clarity and guidance for companies regarding rules around timing and filing of the new Form 8-K for reporting material cybersecurity incidents.

The new rules (Section 104B. Item 1.05 Material Cybersecurity Incidents), which took effect on December 18, require public companies to provide the required cybersecurity incident disclosure within four business days following the determination that the incident is material (not four business days after the incident occurred or is discovered).

Of particular note, the provision also includes guidance for when a delay beyond the four-business-day deadline would be permissible or would not be permissible. In short, companies can seek a delay in submitting Form 8-K by requesting that the U.S. Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety.

Note that requesting a delay does not change the original four-day filing obligation. Only after the Attorney General makes the determination and notifies the SEC that disclosure should be delayed is the deadline extension granted.

The SEC also recognized that the information required in Item 1.05(a) of Form 8-K may not yet be determined or may be unavailable at the time of the required filing and included a mechanism in the final rule for the company to provide the missing information in a subsequent filing.

By way of background, the SEC adopted amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies on July 26, 2023. The adopted amendments increased reporting and disclosure requirements for companies registered with the SEC. (Read our Flash Report for a summary of the SEC’s adopted amendments.)

This newly released guidance provides further information to organizations wondering, for example, if they are still required to make a disclosure even if it may pose a threat to national security or public safety.

In Summary

A particular concern of these new rules for organizations is the window of four business days for reporting cyber-related incidents. For these regulations, the reporting window begins once an unexpected incident is evaluated to be material in nature, subject to relief permitting certain filing delays due to risks to national security or public safety.

The potential for national security concerns and specific situations demands that organizations have as part of their incident response plans a provision for notifying and coordinating with relevant federal law enforcement agencies, specifically the U.S. Attorney General, as needs arise and circumstances dictate.

In closing, we will continue to monitor developments in this space and will publish another blog whenever the SEC issues interpretive guidance on specific points related to its cyber disclosure rules.

Read additional posts on The Protiviti View related to the SEC.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Authors

Charles Soranno

By Charles Soranno

Verified Expert at Protiviti

Charles is a Managing Director in New York with extensive experience in IPOs, technical accounting and SEC reporting,...

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

The big picture: C-suite leaders in traditional aerospace and defense (A&D) companies are launching and growing their aftermarket services and...

Article

What is it about

What to watch: President-elect Donald Trump will take office in January 2025 with Republican control of both the Senate and...

Article

What is it about

As the stakes increase for ensuring the integrity of sustainability reports, CFOs across all industries should not only consider adding...