The U.S. Attorney General’s determination of whether disclosure of a material cybersecurity incident qualifies for a delay will be based on whether such disclosure “poses a substantial risk to public safety and national security.” The SEC must be notified of the determination of the Department of Justice (DOJ) in writing. If a registrant’s request is approved, the DOJ will communicate its decision to the SEC in addition to informing the registrant so that it can delay its Form 8-K filing.

Form 6-K will be amended to require foreign private issuers to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.

The SEC also issued several new compliance and disclosure interpretations (C&DIs) that address additional considerations for registrants that are requesting a delay from disclosing a material incident.

Access the final rule on SEC’s website and the guide on FBI’s website