SEC Staff Releases New Interpretive Guidance on Cybersecurity Incident Disclosure
Summary
Effective December 18, 2023, SEC registrants (“registrants”) other than smaller reporting companies1 are required to disclose material cybersecurity incidents on Form 8-K within four business days from the date they determine the incident is material.
The SEC staff released Compliance and Disclosure Interpretations (C&DIs) on the due date to disclose material cybersecurity incidents when registrants request to delay disclosure in the interest of national security or public safety. Additionally, the C&DIs clarify that registrants may consult with the Department of Justice (DOJ) or other national security agencies regarding their cybersecurity incidents, including before their materiality assessments are completed.
Material Cybersecurity Incidents Guidance
Item 1.05(c) of Form 8-K permits registrants to delay disclosing a material cybersecurity incident when the U.S. Attorney General (“Attorney General”) notifies the SEC in writing that such disclosure poses a substantial risk to national security or public safety.
The SEC staff issued the following guidance on the deadline to disclose material cybersecurity incidents when registrants request a delay:2
SCENARIO | FORM 8-K FILING DUE DATE |
The Attorney General does not respond to the registrant’s request or declines to make a determination (104B.01) | Within four business days from the date the registrant determined the cybersecurity incident is material |
The Attorney General notifies the SEC in writing that such disclosure poses a substantial risk to national security or public safety, and:
| Within four business days from the date:
|
The C&DIs also clarify that consulting with the DOJ regarding the availability of a delay does not indicate that the registrant has concluded the incident is material (104B.04).
See our publication The SEC’s New Cyber Disclosure Rules are Here for a summary of the final rules.
Link to C&DIs
Link to Statement by Erik Gerding, Director of the Division of Corporation Finance: Cybersecurity Disclosure3
1 Smaller reporting companies have until June 15, 2024, to comply with the new disclosure requirement.
2 The DOJ released guidance that registrants should follow to obtain a delay, which includes information about the Attorney General’s process to determine whether a delay is appropriate
3 This speech offers helpful background information on the SEC’s new cybersecurity disclosure rules.
SHARE