Companies won’t have an easy path toward earning additional time from the Department of Justice (DOJ) regarding the disclosure of a material cybersecurity incident to the Securities and Exchange Commission (SEC) as required under a new rule.
The DOJ released guidance Tuesday on how it will reach its determinations on whether companies qualify for disclosure delays available when the U.S. attorney general determines there are national security risks at play. In all other circumstances, the SEC’s rule, adopted in July and effective this month, requires public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents within four business days upon discovery of materiality.
