The FBI this week issued a policy notice, outlining rules that companies must follow to request a delay in reporting cyber incidents to the Securities and Exchange Commission (SEC).
According to the document, companies can ask the DOJ (Department of Justice), through the FBI, for a delay of up to 30 days if the disclosure poses a national security risk or threatens someone’s public safety. The department may grant a request of up to 60 additional business days in “extraordinary circumstances” that are considered substantial national security risk. However, the FBI said this doesn’t apply to public safety risks.
The FBI will document every request it receives, coordinate “checks of U.S. government national security and public safety equities,” and forward it to the DOJ for review.
“After the FBI makes a referral based on equities checks and fact-finding procedures, DOJ will issue a delay determination. This determination will be communicated in writing concurrently to the victim and the SEC. If DOJ approves the delay request, the FBI should invite the victim to submit any requests for delay extensions to the Bureau. An email address where victims can submit such requests is forthcoming,” the FBI explained.
The FBI and the DOJ will determine whether the situation warrants a delay based on a variety of factors, including the type of vulnerability that was exploited when the initial attack took place and the industry of the victim.
“If it’s something like a zero-day and a nation-state, we’re probably more to lean towards potentially having a concern about that disclosure in terms of the national security risk benefit versus a sort of run-of-the-mill phishing attack,” DOJ deputy assistant attorney general Eun Young Choi said. “Those are sort of case-by-case determinations that we’re going to have to make.”
One important caveat for companies that want to request a delay is that they must immediately report the incident once they determine it’s material. The bureau explains that a material cybersecurity incident is one where “there is a substantial likelihood that a reasonable shareholder would consider it important” in the case of making an investment decision.
“Delay requests won’t be processed unless they are made immediately upon a company’s determination of materiality,” the FBI pointed out, adding that if the company isn’t sure whether the incident is material, they should still immediately contact the FBI and agents will help determine if it’s material.
FBI’s policy notice comes a little over a week before the new rules that the SEC approved earlier this year come into effect on December 18. They require companies to fill out an 8-K and send it to the SEC within 4 business days of a cybersecurity incident taking place.
The bureau “strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination.”