SEC New Cybersecurity Rules; FBI Issues Guidance on Requesting Delays for Reporting Cybersecurity Issues
The Securities and Exchange Commission (“SEC”) adopted new regulations this year that took effect September 5, 2023, and require disclosure of a “material” cyber-attack in all annual reports beginning December 15, 2023, and in all 8-K’s starting December 18, 2023.[1]
8-K Rules: Disclosures, Materiality, and Timing
The SEC now requires reporting of a cyber-attack in an 8-K when the attack is determined to be “material”. The SEC clarified that the disclosures they are seeking should not extend to:
“[S]pecific, technical information about the registrant’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.[2]
There were several commenters that suggested the SEC sought the disclosure of too much information and may expose additional vulnerabilities or subject companies to additional attacks. Based on these comments the SEC narrowed the scope of the required disclosure in the final version to:
“[D]escribe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”[3]
Regarding timing, the rules impose a deadline of four (4) days after the cyber-attack is determined to be material. In an attempt to restrict a prolonged investigation before the materiality is determined, the proposed language requires materiality to be determined “as soon as reasonably practicable after discovery of the incident”.[4]
The SEC defined materiality consistent with current case precedent and current regulatory definitions, namely:
“[I]nformation is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” “Doubts as to the critical nature” of the relevant information should be “resolved in favor of those the statute is designed to protect,” namely investors.”[5]
The timing of the notification can be delayed in certain circumstances. If the cybersecurity incident involves cases of national security or public safety then the Attorney General can approve delays based on several discrete approval levels:
- The initial delay may be up to thirty (30) days;
- An additional thirty (30) days may be approved if necessary; and
- An additional sixty (60) days may be approved in extraordinary circumstances.[6]
The Attorney General and the Department of Justice (“DOJ”) have delegated the processing of delay requests to the Federal Bureau of Investigation (“FBI”). On December 12, 2023, the FBI issued guidance on the process for requesting a delay.[7] The guidance outlined the procedure the FBI will use to accept a request for delay on behalf of DOJ. The process allows for the FBI to process a request so long as the entity seeking the delay includes the following information:[8]
- When did the cyber incident occur?
- When did you make a determination to disclose a cyber-incident via 8k? Include the date, time, and time zone. (Note: Failure to report this information immediately upon determination will cause your delay-referral request to be denied.)
- Are you already in contact with the FBI or another U.S. government agency regarding this incident? If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom you’re in contact.
- Describe the incident in detail. Include the following details, at minimum:
- What type of incident occurred?
- What are the known or suspected intrusion vectors, including any identified vulnerabilities if known?
- What infrastructure or data were affected (if any) and how were they affected?
- What is the operational impact on the company, if known?
The FBI specifically noted that “Failure to report the information immediately upon determination [of materiality] will cause [the request] to be denied”. The guidance highly suggests making contact with a local FBI office as soon as possible so that any cyber-security incidents can be reported in a timely manner if a delay is sought. Waiting until the eve of the reporting deadline will result in an automatic denial.
The guidance also offered the following:
When the Attorney General determines that disclosure of all or part of the information required by Item 1.05 poses a substantial risk to national security or public safety, the Department will notify the Commission of such determination in writing. That notice will specify a period for the delay, up to 30 days.[9]
10-K Rules: Disclosures Requirements
Unlike the reporting requirements for an 8-K as discussed above, the reporting requirements on an entity’s 10-K are less clear.
The SEC has issued final language for disclosing cybersecurity risks, under 106(b)[10], and cybersecurity risk management under 106(c)[11].
The SEC will require registrants to address the following cybersecurity risks under 106(b)(1):[12]
- Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
The SEC will also require registrants to address their cybersecurity risk governance strategy under 106(c)(2):[13]
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Because such cybersecurity disclosures are new, there have not been any filings under the new rules, and no feedback or other guidance from the SEC as to the breadth or depth of the required disclosures. As guidance from the SEC is issued in response to cyber-attacks, legal proceedings, or other advice this article may be updated to incorporate such information.
[1] https://www.sec.gov/files/rules/final/2023/33-11216.pdf, pg. 107
[2] Id at pg. 14
[3] Id at pg. 29
[4] Ibid
[5] Id at pg. 15
[6] Id at pg. 34
[7] https://www.fbi.gov/file-repository/fbi-policy-notice-120623.pdf/view
[8] Review the full requirements of the delay request at https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements-request-a-delay
[9] DEPARTMENT OFJUSTICEMATERIAL CYBERSECURITY INCIDENTDELAY DETERMINATIONS December 12, 2023, pg. 4 (https://www.justice.gov/media/1328226/dl?inline)
[10] 17 CFR 229.106(b) (Regulation S-K “Item 106(b)”)
[11] 17 CFR 229.106(b) (Regulation S-K “Item 106(c)”)
[12] 88 FR 51896, pg. 47
[13] Ibid