FBI Explains How Companies Can Delay SEC Disclosure of Cyber ​​Incidents


The FBI has issued guidance on how companies can request a delay in disclosing cyber incidents to the Securities and Exchange Commission (SEC).

THE document follows new rules approved by the SEC in June requiring companies to promptly disclose “material” cybersecurity incidents and share details of their cybersecurity risk management, strategy and governance with the commission on an ongoing basis. annual.

Companies must report issues to the SEC in an 8-K filing within four business days, unless the U.S. Attorney General determines that disclosure would threaten national security or public safety. The FBI will be responsible for collecting delay request forms and transmitting viable forms to the Department of Justice.

THE rules take effect December 18, but small businesses will have an additional 180 days to comply. The FBI worked with the Department of Justice to create a guidance document for victims on how companies can “request disclosure delays for reasons of national security or public safety.”

Office recommended “all publicly traded companies establish a relationship with their local FBI office’s cyber squad” and “strongly encourage companies to contact the FBI shortly after discovering a cyber incident.” This early awareness allows the FBI to become familiar with the facts and circumstances of an incident before the company makes a decision about its significance.

In a summarythe bureau explained that a “significant cybersecurity incident” is defined as one in which “there is a high probability that a reasonable shareholder would consider it to be material” when making an investment decision.

Simply collaborating with the FBI will not trigger “materiality,” the bureau said.

“However, it could make it easier for the FBI to review if the company determines that a cyber incident is material and requests a delay in disclosure.” Please note that delay requests will only be processed if made immediately after the Company’s determination of significance.

To request a delay, companies must email the FBI information indicating when the incident occurred and when the organization determined it was significant. Failure to provide the correct date, time, and time zone for the materiality determination “will result in your request for deferred removal being denied,” the FBI warned.

The message should include detailed information on the type of cyberattack that occurred, what the intrusion vectors are, what infrastructure or data was affected and how, the operational impact of the incident and whether attribution of the attack is confirmed.

Businesses will need to provide points of contact and information whether this is the first time they are submitting a deferred return request.

“If so, indicate when the Department of Justice made its final delay determination(s) for this incident, on what grounds, and for how long the Department of Justice granted its delay,” the FBI said.

The FBI also wants businesses to indicate in the email whether they have ever been in contact with a local office.

Since the rules were announced, there has been significant backlash from businesses, industry organizations and others. Rep. Andrew Garbarino (R-NY) bill three weeks ago it would overthrow them.

The rules immediately caused outrage from businesses and lawmakers who questioned what the SEC meant by using the term “material cybersecurity incident” in light of the endless barrage of cyberattacks that most large organizations face on a daily basis.

30 days, maybe 30 more

Under the rules, the DOJ may grant a public filing deadline of 30 business days, with the option to delay the public filing for an additional 30 days.

In “extraordinary circumstances,” the department may delay response for an additional 60 business days due to significant risks to national security (but not public safety), the FBI said.

Deadlines cannot exceed 120 business days without an exemption order from the SEC.

The FBI is the agency responsible for receiving delay requests on behalf of the DOJ, documenting each one, “coordinating the U.S. Government’s national security and public safety controls,” and ultimately , to transmit the information to the Ministry of Justice.

The bureau reiterated that if a company does not request a delay in conjunction with determining whether the attack is “significant,” the FBI will not process it.

“In other words, failure to report the cyber incident immediately after determining its significance will result in a denial of a deferred referral request,” they explained.

“Once the FBI makes a referral based on reviews of investigative actions and procedures, the DOJ will issue a delay determination. This decision will be communicated in writing simultaneously to the victim and the SEC. If the DOJ approves the request for a delay, the FBI should invite the victim to submit any request for an extension of time to the Bureau. An email address to which victims can submit such requests will be available soon.

DOJ and FBI officials said at the Aspen Digital conference last month that they would evaluate requests for a disclosure delay based on the victim’s industry, the type of vulnerability exploited for initial access and of the type of attacker.

“If it’s zero-day and nation-state, we’re probably more inclined to be concerned about that disclosure in terms of national security risk, versus some sort of run-of-the-mill phishing.” attack,” Justice Department Deputy Attorney General Eun Young Choi said.

“These are case-by-case decisions that we will have to make.”

She urged companies to come forward to the FBI and DOJ even before determining whether it is a “significant incident,” so officials can help them understand whether it is a “significant incident” or not.

Bryan Vorndran, deputy director of the FBI’s Cyber ​​Division, added that companies should not worry about the FBI or DOJ reporting them to the SEC, emphasizing that the FBI has “no role” in the relationship between a company and its regulator.

“Sometimes we’ll get calls in our field offices and the SEC will say, ‘Hey, we have some questions for the victim organization. Can you let me know when your team and people are offsite and when , we will commit.” with the victim just so they don’t have to engage with the FBI and the SEC at the same time?'” he said.

“That’s generally the amount of overlap between us and the SEC – as a logistical coordination role after or before, but not at the same time.”

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Martin Matishak

Martin Matishak is the senior cybersecurity reporter for The Record. Before joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments on Capitol Hill, the Pentagon and the U.S. intelligence community. He was previously a reporter for The Hill, National Journal Group and Inside Washington Publishers.

Leave a comment