Hogan Lovells 2024 Election Impact and Congressional Outlook Report
News
Agencies issue guidance on delayed SEC reporting of material cybersecurity incidents
SEC Update
09 January 2024
Since December 18, 2023 public companies other than smaller reporting companies are required to report a cybersecurity incident under Item 1.05 of Form 8-K within four business days after the company determines the incident is material.
Item 1.05(c) of Form 8-K permits a company to delay disclosing a material cybersecurity incident for a limited period of time if the U.S. Attorney General determines that the disclosure required by Item 1.05(a) poses a substantial risk to national security or public safety. The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) recently issued guidance describing the process for making that determination. The process requires the company experiencing the incident or a U.S. government agency in some circumstances to submit to the FBI a written request for delayed disclosure.
In addition, the SEC’s Division of Corporation Finance has issued compliance and disclosure interpretations (C&DIs) under Form 8-K clarifying the application of the Item 1.05 filing deadline when delayed disclosure may be available.
The DOJ guidelines with respect to Item 1.05(c) determinations can be viewed here, while the FBI’s guidance and its related policy statement can be viewed here and here. The new C&DIs can be seen here.
Read more below.
Authored by Alan Dye (co-editor), Richard Parrino (co-editor), John Beckman, Kevin Greenslade, Ann Kim, Paul Otto, Peter Marta, Allison Holt Ryan, Nathan Salminen, and Nicholas Hoover.
Contacts
Washington, D.C.
News
Agencies issue guidance on delayed SEC reporting of material cybersecurity incidents
09 January 2024
Search
