The Department of Justice published guidelines outlining the process that companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934, or U.S. Government agencies in coordination with such companies, may use to request that the Department authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission in Item 1.05 of Form 8-K.
Article continues below
Department of Justice Material Cybersecurity Incident Delay
eterminations
A company may delay providing a disclosure required by Item 1.05 of Form 8-K if the Attorney General or the Attorney General’s authorized designees determine that the disclosure poses a substantial risk to national security or public safety.
The Department’s guidelines state that when a registrant believes that disclosure required by Item 1.05 of Form 8-K may pose a substantial risk to national security or public safety, the registrant should, directly or through another U.S. Government agency, immediately contact the FBI.
"Form 8-K Item 1.05 requires registrants to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
"Typically, registrants will be able to publicly disclose this material information at a level of generality that does not pose a substantial risk to national security or public safety.
"In certain circumstances, however, the disclosure of some or all of the information required by Item 1.05 could pose such a risk.
"Those circumstances of which a registrant would be aware are expected to be limited to the following categories:
"a) The cybersecurity incident occurred because the illicit cyber activities were reasonably suspected to have involved a technique for which there is not yet well-known mitigation— for example, exploiting a software vulnerability for which there is no patch or other reasonably available mitigation—and the disclosure required by Item 1.05 could lead to more incidents, thereby posing a substantial risk to national security or public safety.
"b) The cybersecurity incident primarily impacts a system operated or maintained by a registrant that contains sensitive U.S. Government information, or information the U.S. Government would consider sensitive, and public disclosure required by Item 1.05 would make that information and/or system vulnerable to further exploitation by illicit cyber activity, thereby posing a substantial risk to national security or public safety.
"This category includes systems operated or maintained for the government as well as systems not specifically operated or maintained for the government that contain information the government would view as sensitive, such as that regarding national defense or research and development performed pursuant to government contracts.
"c) The registrant is conducting remediation efforts for any critical infrastructure or critical system, and any disclosure required by Item 1.05(a) revealing that the registrant is aware of the incident would undermine those remediation efforts and thus pose a substantial risk to national security or public safety.
"d) The circumstances described below in Section 3, after a government agency has made the registrant aware of them.
"The Department anticipates that the following are the types of scenarios in which, at least initially, a recommending U.S. Government agency, rather than a registrant, is likely to be aware of a substantial risk to national security or public safety:
"a) Disclosure to the public of the cybersecurity incident as required by Item 1.05 would risk revealing a confidential source, information relating to U.S. national security, or law enforcement sensitive information and thereby pose a substantial threat to national security or public safety.
"The risk that disclosure will pose a substantial threat to national security or public safety is higher where the registrant learned of the cybersecurity incident only because a U.S. Government agency alerted the registrant to the cybersecurity incident or its possibility of occurrence.
"b) The U.S. Government is prepared to execute, or is aware of, an operation to disrupt ongoing illicit cyber activity that poses a substantial risk to national security or public safety, such as through freezing or seizing information, assets, or infrastructure involved in illicit cyber activity, or by effecting the arrest of an individual or individuals for illicit cyber activity, and public disclosure of the cybersecurity incident as required by Item 1.05 would pose a demonstrable threat or impediment to the success of such an operation ) The U.S.
"Government is aware of or conducting remediation efforts for any critical infrastructure or critical system, and any disclosure required by Item 1.05(a) revealing that the registrant is aware of the incident would undermine those remediation efforts and thus pose a substantial risk to national security or public safety." ■