FBI explains how companies can delay SEC cyber incident disclosures

pppThe FBI has published guidance on how companies can request a delay in disclosing cyber incidents to the Securities and Exchange Commission SECppThe document is a followup to new rules that the SEC approved in June requiring companies to quickly disclose material cybersecurity incidents and share the details of their cybersecurity risk management strategy and governance with the commission on an annual basisppCompanies have to report issues to the SEC in 8K filings within four business days unless the US attorney general determines that disclosure would threaten national security or public safety The FBI will be responsible for collecting delay request forms and passing the viable ones on to the Justice DepartmentppThe rules take effect on December 18 but smaller companies will have an extra 180 days to comply The FBI worked with the Department of Justice to create the guidance document for victims about how companies can request disclosure delays for national security or public safety reasonsppThe bureau recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office and strongly encourages companies to contact the FBI soon after a cyber incident is discovered This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determinationppIn a summary the bureau explained that a material cybersecurity incident is defined as one in which there is substantial likelihood that a reasonable shareholder would consider it important when making an investment decisionppSimply engaging with the FBI wont trigger materiality the bureau saidppHowever it could assist with the FBIs review if the company determines that a cyber incident is material and seeks a disclosure delay Please note that delay requests wont be processed unless they are made immediately upon a companys determination of materialityppTo request a delay companies must email the FBI information about when the incident occurred and when the organization determined it was material A failure to provide the exact date time and time zone for the materiality determination will cause your delayreferral request to be denied the FBI warnedppThe message should include detailed information about what kind of cyberattack occurred what the intrusion vectors are what infrastructure or data was affected and how the operational impact of the incident and whether there is confirmed attribution of the attackppCompanies will need to provide points of contact and information about whether its the first time they have submitted a delayreferral requestppIf yes indicate when the Department of Justice made its last delay determinations for this incident on what grounds and for how long the Justice Department granted its delay the FBI saidppThe FBI also wants companies to say in the email whether they have already been in contact with a local field officeppSince the rules were announced there has been significant backlash from companies industry organizations and others Rep Andrew Garbarino RNY proposed legislation three weeks ago that would overturn themppThe rules immediately caused outrage from companies and lawmakers who questioned what the SEC meant when using the term material cybersecurity incident in light of the endless barrage of cyberattacks most large organizations face on a daily basisppUnder the rules DOJ can grant a delay of public filing for 30 business days with an option to delay for an additional 30ppIn extraordinary circumstances the department can delay for an additional 60 business days due to substantial national security but not public safety risks the FBI saidppThe delays cannot exceed 120 business days without an exemptive order from the SECppThe FBI is the agency responsible for intaking the delay requests on behalf of the DOJ documenting each one coordinating checks of US government national security and public safety equities and ultimately referring the information to the Justice DepartmentppThe bureau reiterated that if a company does not make the delay request alongside the determination of whether the attack was material the FBI will not process itppIn other words failure to report the cyber incident immediately upon determination of materiality will cause a delayreferral request to be denied they explainedppAfter the FBI makes a referral based on equities checks and factfinding procedures DOJ will issue a delay determination This determination will be communicated in writing concurrently to the victim and the SEC If DOJ approves the delay request the FBI should invite the victim to submit any requests for delay extensions to the Bureau An email address where victims can submit such requests is forthcomingppDOJ and FBI officials said at the Aspen Digital Conference last month that they will evaluate disclosure delay requests based on the industry of the victim the type of vulnerability exploited for initial access and the type of attackerppIf its something like a zeroday and a nationstate were probably more to lean towards potentially having a concern about that disclosure in terms of the national security risk benefit versus a sort of runofthemill phishing attack said Department of Justice deputy assistant attorney general Eun Young ChoippThose are sort of casebycase determinations that were going to have to makeppShe urged companies to come forward to the FBI and DOJ even before they have made the determination of whether it is a material incident so that officials can help them understand whether it is or is notppBryan Vorndran assistant director of the FBIs Cyber Division added that companies should not be concerned about the FBI or DOJ reporting them to the SEC noting that the FBI has no role in the relationship between a company and their regulatorppWe will get calls in our field offices at times and the SEC will say Hey we have questions for the victimized organization Can you let me know when your team and your folks are off site and at that time well engage with the victim just so that they dont have to engage with the FBI and SEC at the same time he saidppThats generally the magnitude of the overlap between us and the SEC as a logistics coordination role after or before but not at the same timeppJonathan Greig is a Breaking News Reporter at Recorded Future News Jonathan has worked across the globe as a journalist since 2014 Before moving back to New York City he worked for news outlets in South Africa Jordan and Cambodia He previously covered cybersecurity at ZDNet and TechRepublicppMartin Matishak is the senior cybersecurity reporter for The Record Prior to joining Recorded Future News in 2021 he spent more than five years at Politico where he covered digital and national security developments across Capitol Hill the Pentagon and the US intelligence community He previously was a reporter at The Hill National Journal Group and Inside Washington Publisherspp Copyright 2023 The Record from Recorded Future Newsp