Department of Justice Material Cybersecurity Incident Delay Determination guidelines

On December 12, 2023, the Department of Justice (DOJ) issued “Material Cybersecurity Incident Delay Determinations” guidelines (Guidelines) outlining the process that public companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 (registrants) may use to request the Attorney General delay disclosure of “material” cybersecurity incidents under the new SEC cybersecurity disclosure rules.

While the Guidelines set forth a straightforward process for public companies to request a reporting delay from the DOJ, the Guidelines indicate the DOJ will only authorize a delay in limited circumstances that, in practice, will not be available to companies in most incidents. Nonetheless, companies must understand the circumstances in which the DOJ is likely to authorize a disclosure delay and the process for requesting it.

Background

In July, the US Securities and Exchange Commission (SEC) mandated a new cybersecurity disclosure requirement, as explained in Form 8-K Item 1.05, that a public company must disclose a “material” cybersecurity incident within four business days of determining the incident is “material.” The materiality determination “must be made without unreasonable delay of discovering the incident.” However, the new SEC Rules created an exception from the four-business day requirement if the DOJ determines that the required disclosures “poses a substantial risk to national security or public safety and notifies the SEC of the determination in writing.” This delay can be for up to 30 days, as determined by the Attorney General, but additional delays may be available beyond 30 days if determined necessary by the DOJ.

What are the Limited Circumstances for finding a substantial risk to national security or public safety?

In the Guidelines, the DOJ noted that in most incidents, companies will be able to publicly disclose a material cybersecurity incident at a level of generality that does not pose a risk to national security or public safety. However, the Guidelines describe four categories of circumstances that could pose such a risk:

• The cybersecurity incident is reasonably suspected to be the result of a technique for which there is no well-known mitigation and public disclosure could lead to more incidents (e.g. a zero-day vulnerability for which no patch is available).
• The cybersecurity incident primarily impacts a system that contains sensitive US Government information and public disclosure would make the information and/or system vulnerable to further exploitation.
• The registrant is conducting remediation efforts for any critical infrastructure or critical system, and public disclosure would reveal that the registrant is aware of the incident, which would undermine such remediation efforts.
• A US Government agency determines that disclosure of the incident would risk (i) revealing a confidential source, information relating to US national security or sensitive law enforcement information; (ii) interfering with an operation to disrupt illicit cyber activity or by effecting the arrest of individuals for illicit cyber activity; or (iii) undermining remediation efforts for any critical infrastructure or critical system.

What is the process for registrants to request a delay?

If a registrant thinks that their cybersecurity incident may pose a substantial risk to national security or public safety, the company must contact the FBI to request a delay (through a forthcoming dedicated FBI email address) and provide information responding to ten questions, such as the type of incident, suspected intrusion vector, scope of infrastructure and/or data impacted and suspected attribution of the threat actors responsible. The registrant should also explain the factual circumstances supporting the registrant’s belief that disclosure poses a substantial risk to national security or public safety. Because the Attorney General has to notify the SEC of the decision to delay disclosure within four business days of the registrant making the materiality determination, the Guidelines encourage registrants to communicate with the FBI early – even before making the materiality determination – so that the FBI can collect necessary information and make its own assessment prior to referring the request to the DOJ.

The DOJ, through the FBI, will consult with other US agencies to determine whether a national security or public safety risk exists, and how long a delay may be necessary. If the Attorney General determines that the standard for a disclosure delay is met, they will notify the SEC in writing and specify the delay period (up to 30 days). If the Attorney General determines that delay is necessary for only some of the 1.05 required disclosures (such as the nature and scope, but not the timing), the Attorney General will notify the registrant and the recommending agency.

The registrant should inform the DOJ of any changes in circumstances that may be relevant to the national security or public safety risk that may arise during the delay period. If the Attorney General determines there is no longer a risk, it will notify the recommending agency, the SEC and the registrant in writing.

If the DOJ determines that the standard for a delayed disclosure is not met, it will notify the registrant and the recommending agency.

What if an additional delay period is necessary?

If, during an initial delay period, the recommending agency, registrant or another US Government agency finds that the national security or public safety risk will continue to exist beyond the initial delay period, then a request to the FBI for an “additional period” of delay up to 30 days is appropriate. Such a request should be made at least five business days before the end of the initial period of delay and include a description of the continued risk and an estimate of the duration that such risk may last. If the Attorney General finds that an additional period is necessary, it will notify the SEC, registrant and recommending agency in writing of the nature and scope of the determination and duration of the additional delay period. Delays for a “final additional” period of up to 60 days will only be granted in “extraordinary circumstances.” Beyond the “final additional” 60-day delay, the SEC will need to grant requests for additional delays through an exemption order.

Tips going forward

As companies continue to update their incident response plans and disclosure processes to address the new SEC disclosure requirements for material cybersecurity incidents, the Guidelines provide useful takeaways that companies should consider to be better prepared to make a disclosure delay request from the DOJ:

• Establish a relationship with the local FBI Cyber Task Force. Not only will you be able to have current contact information for urgent requests, it provides an opportunity to educate the FBI on the nature of the company’s business and potential cybersecurity incidents that could pose a substantial risk to national security or public safety.
• Consider notifying the FBI early on after discovering an incident even if the company hasn’t yet made a determination that it arises to a “material” cybersecurity incident. It often takes time for investigations to fully determine the nature and scope of an incident, and so, the sooner the FBI is made aware of the situation, the more quickly the FBI will be able to assess the national security and public safety risks when the investigation reveals new information.
• Conduct hypothetical threat-scenario sessions with internal stakeholders to identify potential cybersecurity incidents specific to your company that could pose a substantial risk to national security or public safety.
• Ensure that the team responsible for assessing whether a cybersecurity incident is “material” is aware of the available exemption and the process for requesting one.
• Familiarize yourself with the information needed to submit a request for delayed disclosure to the FBI and be prepared to collect responsive information quickly after discovering a cybersecurity incident.