Companies won’t have an easy path toward earning additional time from the Department of Justice (DOJ) regarding the disclosure of a material cybersecurity incident to the Securities and Exchange Commission (SEC) as required under a new rule.
The DOJ released guidance Tuesday on how it will reach its determinations on whether companies qualify for disclosure delays available when the U.S. attorney general determines there are national security risks at play. In all other circumstances, the SEC’s rule, adopted in July and effective this month, requires public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents within four business days upon discovery of materiality.
Last week, the Federal Bureau of Investigation published guidance on what information companies seeking a reporting delay should provide and where to submit requests. The DOJ’s guidance suggested there will be “limited circumstances” where delays will be granted.
“While cybersecurity incidents themselves frequently threaten public safety and national security, the disclosure to the public that those incidents have occurred poses threats less often,” the agency said. “In many circumstances, the prompt public disclosure of relevant information about a cybersecurity incident provides an overall benefit for investors, public safety, and national security.”
Circumstances where national security risks could be at play, according to the guidance, include the following:
- The cybersecurity incident is reasonably suspected to have involved a technique for which there is not yet well-known mitigation;
- The incident primarily impacted a system that contains sensitive U.S. government information or information the government would consider sensitive; or
- When the registrant is conducting remediation for a critical infrastructure or critical system and disclosure revealing the registrant is aware of the incident would undermine those efforts.
If the DOJ does determine a disclosure would threaten national security, it expects to grant a reporting delay of up to 30 days. The attorney general might also decide, for example, that “disclosure of the timing of the incident would not pose a substantial risk to national security or public safety, but disclosure of the nature or scope of the incident would pose such a risk.” Any such determination would be communicated to the SEC.
The SEC’s rule allows for additional periods of delay, where deemed appropriate by the attorney general.