TheCorporateCounsel.net

As I mentioned in the blog yesterday, as part of the cybersecurity rulemaking, the SEC adopted new Item 1.05(a) of Form 8-K, which specifies that if an issuer experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. The Item 1.05 Form 8-K must be filed within four business days of determining that an incident was material, subject to limited exceptions.

A number of commenters on the proposed rules had suggested that the SEC include a provision allowing for a delay in the filing of the Form 8-K when there is an active law enforcement investigation or the disclosure otherwise implicates national security or public safety. For example, Debevoise suggested in its comment letter that the Commission “delay reporting of a cybersecurity incident that is the subject of a bona fide investigation by law enforcement,” because such “delay in reporting may not only facilitate such an investigation, it may be critical to its success.”

The Commission decided to not adopt a broad law enforcement delay provision in the final rules, but it did provide for delays in the Form 8-K deadline for two specific circumstances that are worth drilling down on.

First, paragraph (d) of Item 1.05 indicates that if a company is subject to the FCC’s notification rule for breaches of customer proprietary network information (CNPI), the company may delay providing the disclosure required by Item 1.05 for such period that is applicable under the notification rule and in no event for more than seven business days after notification required under that provision has been made, so long as the company notifies the SEC in correspondence submitted via the EDGAR system no later than the date when the disclosure required by Item 1.05 was otherwise required to be provided. This notification requirement specifically relates telecommunications carriers and VoIP providers, so it will have fairly limited application.

Second, paragraph (c) of Item 1.05 provides a framework for delaying the filing of an Item 1.05 Form 8-K if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. Paragraph (c) specifies that if the Attorney General determines that disclosure required by paragraph (a) of Item 1.05 poses a substantial risk to national security or public safety, and notifies the SEC of such determination in writing, the company may delay providing the disclosure required by Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through exemptive orders.

The SEC notes in the adopting release that it consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the SEC in a timely manner. The SEC notes that the Department of Justice will notify the affected company that communication to the SEC has been made, so that the company may delay filing its Form 8-K.

The SEC indicates that the delay provision for substantial risk to national security or public safety is separate from Exchange Act Rule 0-6, which provides for the omission of information that has been classified by an appropriate department or agency of the Federal government for the protection of the interest of national defense or foreign policy. The SEC indicates that if the information a company would otherwise disclose on an Item 1.05 Form 8-K or pursuant to Item 106 of Regulation S-K or Item 16K of Form 20-F is classified, the company should comply with Exchange Act Rule 0-6.

It seems to me that the delay provision for substantial risk to national security or public safety will likely not often be invoked. While general disclosure about a cybersecurity breach is sometimes a concern from a law enforcement perspective, only rarely do circumstances occur where a breach would meet the threshold for constituting a substantial risk to national security or public safety. So while it is helpful that the Commission did listen to commenters concerns and adopt these two specific delay provisions, they are unlikely to be a factor in the disclosure decisions for a wide range of public companies facing cybersecurity breaches.

– Dave Lynn