The FBI has released guidelines detailing the process by which companies can seek deferment in disclosing cyber incidents to the Securities and Exchange Commission (SEC).
In response to the SEC’s new regulations mandating swift disclosure of “material” cybersecurity incidents and annual submission of cybersecurity risk management details, companies are required to report such incidents within four business days in 8-K filings, unless national security or public safety is at risk, as determined by the U.S. attorney general.
The FBI will handle delay request forms, directing viable requests to the Department of Justice (DOJ). A guidance document, created in collaboration with the DOJ, instructs victims on requesting disclosure delays for national security or public safety reasons.
The bureau advises publicly traded companies to establish contact with their local FBI cyber squad promptly after discovering a cyber incident. This proactive engagement allows the FBI to familiarize itself with the circumstances before the company determines the incident’s materiality.
Defining a “material cybersecurity incident” as one that a reasonable shareholder would find significant for investment decisions, the FBI clarified that mere engagement with them won’t automatically constitute “materiality.” However, prompt engagement can aid the FBI’s review if a delay in disclosure is sought.
To request a delay, companies must email the FBI specific incident timings and details, including the nature of the cyberattack, affected infrastructure or data, operational impact, attribution confirmation, and prior delay requests.
Notably, delay requests lacking precise materiality determination timelines risk rejection, according to the FBI’s warning.
The DOJ can grant delays of up to 30 business days initially, extendable by another 30 days, with additional extensions, in exceptional cases, totaling a maximum of 120 business days, requiring an SEC exemptive order.
DOJ and FBI officials highlighted that evaluations for disclosure delays will consider the victim’s industry, exploited vulnerabilities, and attacker type, emphasizing the need for early engagement to determine materiality.
They assured that the FBI’s role is not to report companies to the SEC but rather to facilitate coordination, ensuring companies don’t have simultaneous interactions with both agencies.