Publication
Changes ahead for California employers
California is introducing legal changes that will impact employers statewide.
United States | Publication | December 2023
On December 12, 2023, the Department of Justice (DOJ) issued “Material Cybersecurity Incident Delay Determinations” guidelines (Guidelines) outlining the process that public companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 (registrants) may use to request the Attorney General delay disclosure of “material” cybersecurity incidents under the new SEC cybersecurity disclosure rules.
While the Guidelines set forth a straightforward process for public companies to request a reporting delay from the DOJ, the Guidelines indicate the DOJ will only authorize a delay in limited circumstances that, in practice, will not be available to companies in most incidents. Nonetheless, companies must understand the circumstances in which the DOJ is likely to authorize a disclosure delay and the process for requesting it.
In July, the US Securities and Exchange Commission (SEC) mandated a new cybersecurity disclosure requirement, as explained in Form 8-K Item 1.05, that a public company must disclose a “material” cybersecurity incident within four business days of determining the incident is “material.” The materiality determination “must be made without unreasonable delay of discovering the incident.” However, the new SEC Rules created an exception from the four-business day requirement if the DOJ determines that the required disclosures “poses a substantial risk to national security or public safety and notifies the SEC of the determination in writing.” This delay can be for up to 30 days, as determined by the Attorney General, but additional delays may be available beyond 30 days if determined necessary by the DOJ.
In the Guidelines, the DOJ noted that in most incidents, companies will be able to publicly disclose a material cybersecurity incident at a level of generality that does not pose a risk to national security or public safety. However, the Guidelines describe four categories of circumstances that could pose such a risk:
If a registrant thinks that their cybersecurity incident may pose a substantial risk to national security or public safety, the company must contact the FBI to request a delay (through a forthcoming dedicated FBI email address) and provide information responding to ten questions, such as the type of incident, suspected intrusion vector, scope of infrastructure and/or data impacted and suspected attribution of the threat actors responsible. The registrant should also explain the factual circumstances supporting the registrant’s belief that disclosure poses a substantial risk to national security or public safety. Because the Attorney General has to notify the SEC of the decision to delay disclosure within four business days of the registrant making the materiality determination, the Guidelines encourage registrants to communicate with the FBI early – even before making the materiality determination – so that the FBI can collect necessary information and make its own assessment prior to referring the request to the DOJ.
The DOJ, through the FBI, will consult with other US agencies to determine whether a national security or public safety risk exists, and how long a delay may be necessary. If the Attorney General determines that the standard for a disclosure delay is met, they will notify the SEC in writing and specify the delay period (up to 30 days). If the Attorney General determines that delay is necessary for only some of the 1.05 required disclosures (such as the nature and scope, but not the timing), the Attorney General will notify the registrant and the recommending agency.
The registrant should inform the DOJ of any changes in circumstances that may be relevant to the national security or public safety risk that may arise during the delay period. If the Attorney General determines there is no longer a risk, it will notify the recommending agency, the SEC and the registrant in writing.
If the DOJ determines that the standard for a delayed disclosure is not met, it will notify the registrant and the recommending agency.
If, during an initial delay period, the recommending agency, registrant or another US Government agency finds that the national security or public safety risk will continue to exist beyond the initial delay period, then a request to the FBI for an “additional period” of delay up to 30 days is appropriate. Such a request should be made at least five business days before the end of the initial period of delay and include a description of the continued risk and an estimate of the duration that such risk may last. If the Attorney General finds that an additional period is necessary, it will notify the SEC, registrant and recommending agency in writing of the nature and scope of the determination and duration of the additional delay period. Delays for a “final additional” period of up to 60 days will only be granted in “extraordinary circumstances.” Beyond the “final additional” 60-day delay, the SEC will need to grant requests for additional delays through an exemption order.
As companies continue to update their incident response plans and disclosure processes to address the new SEC disclosure requirements for material cybersecurity incidents, the Guidelines provide useful takeaways that companies should consider to be better prepared to make a disclosure delay request from the DOJ:
Publication
California is introducing legal changes that will impact employers statewide.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023