On December 12, 2023, the Department of Justice (DOJ) issued guidelines for companies to follow in requesting that the Attorney General authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission (“SEC”) pursuant to Form 8-K Item 1.05.
In July, the SEC finalized a rule (the “Final Rule”), which comes into effect on December 18, 2023, requiring companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 (“registrants”) to determine without “unreasonable delay” whether a cybersecurity incident is “material,” and to report material incidents on SEC Form 8-K within four business days of that determination. In announcing the Final Rule, the SEC restated the standard for materiality from caselaw: information about a cybersecurity incident is “material” if there is “a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.