As a follow up to yesterday’s post, our recent Client Alert discusses new guidance from the FBI, DOJ, and SEC on requesting a delay to Form 8-K disclosures for material cybersecurity incidents that pose a substantial risk to national security or public safety. Our client alert discusses the process the FBI has established to request the delay, the approach the DOJ will take when evaluating whether to authorize the delay, and new Compliance and Disclosure Interpretations (CDIs) issued by the SEC’s Division of Corporation Finance regarding this national security and public safety exception.
In addition on December 14, 2023, Erik Gerding, the Director of the SEC’s Division of Corporation Finance, issued a statement on the final cybersecurity disclosure rules. He provided an overview of the cybersecurity disclosure rules and their rationale, the material cybersecurity incident reporting requirements, and the risk management, strategy, and governance disclosure provisions. He specifically discussed one of the new CDIs, which provides that the “sole fact” that a company consults with the DOJ about the availability of a delay in reporting a cybersecurity incident on Form 8-K does not “necessarily result in the determination that the incident is material,” stating his hope that this new CDI “underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents.” In addition, he encouraged companies to consult with the staff on interpretive questions, and emphasized that in their first year of review, the staff may issue forward-looking comments and additional CDIs but were not seeking “to make ‘gotcha’ comments or penalize foot faults.”