The Federal Bureau of Investigation (FBI) recently released guidance outlining the process for companies to request a delay in disclosing cybersecurity incidents to the Securities and Exchange Commission (SEC). This move comes in response to new SEC rules that mandate the rapid disclosure of "material" cybersecurity incidents. The guidance advises companies to establish relationships with their local FBI field offices and encourages them to reach out to the FBI promptly after identifying a cyber incident to allow for a review before determining materiality.
Under the new SEC rules set to take effect on December 18, companies must report cybersecurity issues within four business days in 8-K filings unless the U.S. Attorney General deems that disclosure would jeopardize national security or public safety. The FBI will collect and forward delay requests to the Department of Justice.
The guidance defines a "material cybersecurity incident" as one that "a reasonable shareholder would consider important" when making investment decisions. However, engaging with the FBI alone does not trigger materiality. Companies are urged to make delay requests immediately upon determining an incident's materiality.
To request a delay, companies must provide detailed information about the incident, including its timing, intrusion vectors, impact on infrastructure and data, operational consequences, and attribution. They must also furnish information on prior delay determinations for the same incident.
Additionally, the FBI emphasizes the need for companies to provide specific dates and time zones for materiality determinations; failure to do so could lead to the denial of a delay request. The FBI will also consider whether a company has already been in contact with a local field office.
The rules have faced backlash from companies and lawmakers since their announcement, with concerns raised over the interpretation of "material cybersecurity incident." Smaller companies have been granted an additional 180 days to comply with the rules, while larger enterprises will be required to adhere to them from December 18.
The Department of Justice (DOJ) can approve a delay of public filing for up to 30 business days, with the possibility of an additional 30 days. In exceptional cases involving substantial national security risks (not public safety), the DOJ may grant an additional 60 business days. Delays cannot exceed 120 business days without an SEC exemptive order.
The FBI's role in the process includes intake of delay requests, documentation, coordination of equity checks with U.S. government national security and public safety interests, and referral to the DOJ. DOJ officials will evaluate requests based on factors such as the industry, the vulnerability exploited, and the attacker's nature.
The FBI and DOJ encourage companies to engage with them before determining materiality to receive guidance on the classification of incidents. They assure companies that the FBI's involvement will not result in reports to the SEC simultaneously.
Troy Batterberry, CEO and Founder of EchoMark, commented on the SEC disclosure rules, stating that while they aim to keep investors informed, they may not fully grasp the complexity of handling emerging events. “The current SEC disclosure rules, while well intentioned to keep investors informed, fail to comprehend the complexity of dealing with such events as they emerge. Prematurely disclosing information can help assist the very criminal(s) involved and make the situation even worse for the victim and their respective investors. Such situations are not just limited to national security," said Batterberry.