FBI and SEC Provide Guidance on How Companies Can Request Delays From Disclosing Material Cybersecurity Incidents

The FBI has posted guidance to its Web site on how companies that are cyber incident victims can request a delay from disclosing a material incident under the SEC’s new cybersecurity rule (released on July 26, 2023), with which “all registrants other than smaller reporting companies must begin complying on December 18, 2023.” (For smaller reporting companies, the compliance date is June 15, 2024.) The U.S. Attorney General’s determination of whether disclosure of a material cybersecurity incident qualifies for a delay will be based on whether such disclosure “poses a substantial risk to public safety and national security.” The SEC must be notified of the determination of the Department of Justice (DOJ) in writing. If a registrant’s request is approved, the DOJ will communicate its decision to the SEC in addition to informing the registrant so that it can delay its Form 8-K filing.

The SEC also issued several new compliance and disclosure interpretations (C&DIs) that address additional considerations for registrants that are requesting a delay from disclosing a material incident.

For more information about the requirements of the SEC’s new cybersecurity rule, see Deloitte’s July 30, 2023, Heads Up