Cybersecurity on spotlight: SEC compliance on C&DI

Understanding the complexities of SEC compliance can be challenging for many businesses. With recent updates to cybersecurity disclosure requirements, staying informed is more critical than ever. In this article, written by Laura Anthony of the SecuritiesLaw Blog, we delve into the key aspects of these new regulations and explore what they mean for companies today. Whether you’re looking to understand the intricacies of cyber incident disclosure or need to stay up-to-date with the latest SEC guidelines, this comprehensive overview will provide valuable insights.

Keep reading and learn more.

Back in fourth quarter 2023, the SEC published several new compliance and disclosure interpretations on various topics including cyber incident disclosure, proxy and information statements, the inclusion of securities in the filing fee exhibit, and Inline XBRL.  As my blog topic list tends to be very long, I am finally getting to this and will cover the various new C&DI topics over the next few weeks.

Cybersecurity

In July, 2023 the SEC adopted final new rules requiring disclosures for both domestic and foreign companies related to cybersecurity incidents, risk management, strategy and governance (see HERE for a review of the new rules).  The SEC has published three new C&DI directly related to the Form 8-K reporting requirements and ability to delay reports based on national security concerns.

The cybersecurity rules add new Item 1.05 to Form 8-K requiring disclosure of a material cybersecurity incident including the incident’s nature, scope, timing, and material impact or reasonably likely impact on the company.  An Item 1.05 Form 8-K is due within four business days following determination that a cybersecurity incident is material. Given the sensitive nature of cybersecurity crimes, the SEC has added a provision allowing an 8-K to be delayed if it is informed by the United States Attorney General, in writing, that immediate disclosure would pose a substantial risk to national security or public safety.

The delay can be up to the time specified by the Attorney General or 30 days with the ability to extend for an additional 30 days at the written request of the Attorney General. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC of such determination in writing.  Further, a company may delay filing the Form 8-K up to seven business days following notification of the Secret Service and FBI pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC.

The 3 new C&DI are as follows:

Question 104B.01 – A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General declines to make such determination or does not respond before the Form 8-K otherwise would be due. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?

Answer – The registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material. Requesting a delay does not change the registrant’s filing obligation. The registrant may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing before the Form 8-K otherwise would be due. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at HERE.

Question 104B.02 – A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General makes such determination and notifies the Commission that disclosure should be delayed for a time period as provided for in Form 8-K Item 1.05(c). The registrant subsequently requests that the Attorney General determine that disclosure should be delayed for an additional time period. The Attorney General declines to make such determination or does not respond before the expiration of the current delay period. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?

Answer – The registrant must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the Attorney General. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at HERE .

Question 104B.03 – A registrant experiences a material cybersecurity incident and disclosure of the incident on Form 8-K is delayed pursuant to Form 8-K Item 1.05(c) for a time period of up to 30 days, as specified by the Attorney General. Subsequently, during the pendency of the delay period, the Attorney General determines that disclosure of the incident no longer poses a substantial risk to national security or public safety. The Attorney General notifies the Commission and the registrant of this new determination. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?

Answer – The registrant must file the Item 1.05 Form 8-K within four business days of the Attorney General’s notification to the Commission and the registrant that disclosure of the incident no longer poses a substantial risk to national security or public safety. See also “Changes in circumstances during a delay period” in Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at HERE.

Final insights

The introduction of these new cybersecurity rules underscores the SEC’s commitment to safeguarding national security and public safety through stringent disclosure requirements. Companies must now adhere to specific timelines and protocols when disclosing material cybersecurity incidents, balancing transparency with the need to protect sensitive information.

As we explore these new regulations in detail, it is essential for businesses in private capital markets to stay informed and compliant to mitigate risks and enhance their cybersecurity posture.

Join the All-in-One Platform

Free forever, Kore assists all participants in the Private Capital Markets with activities like raising capital, managing cap tables, investment portfolios, and ensuring compliance.

Book a Call