SEC Staff Releases New Interpretive Guidance on Cybersecurity Incident Disclosure

Summary

Effective December 18, 2023, SEC registrants (“registrants”) other than smaller reporting companies¹  are required to disclose material cybersecurity incidents on Form 8-K within four business days from the date they determine the incident is material. 

The SEC staff released Compliance and Disclosure Interpretations (C&DIs) on the due date to disclose material cybersecurity incidents when registrants request to delay disclosure in the interest of national security or public safety. Additionally, the C&DIs clarify that registrants may consult with the Department of Justice (DOJ) or other national security agencies regarding their cybersecurity incidents, including before their materiality assessments are completed.  

Material Cybersecurity Incidents Guidance

Item 1.05(c) of Form 8-K permits registrants to delay disclosing a material cybersecurity incident when the U.S. Attorney General (“Attorney General”) notifies the SEC in writing that such disclosure poses a substantial risk to national security or public safety. 

The SEC staff issued the following guidance on the deadline to disclose material cybersecurity incidents when registrants request a delay:² 

The C&DIs also clarify that consulting with the DOJ regarding the availability of a delay does not indicate that the registrant has concluded the incident is material (104B.04). 

See our publication The SEC’s New Cyber Disclosure Rules are Here for a summary of the final rules.

Link to CD&Is

¹ Smaller reporting companies have until June 15, 2024, to comply with the new disclosure requirement.
² The DOJ released guidance that registrants should follow to obtain a delay, which includes information about the Attorney General’s process to determine whether a delay is appropriate