The FBI is taking the lead on fielding publicly-traded companies’ requests to delay the disclosure of material cybersecurity incidents to the Securities and Exchange Commission.
The agency last week published its policies for documenting disclosure delay requests. It also detailed the circumstances under which delays might be granted if a public filing would pose a significant threat to public safety or national security under the SEC rule.
Businesses, starting Monday, are required to disclose every material cybersecurity incident to the SEC in 8-K filings within four business days of determining material impact.
The rule took effect Sept. 5 and the SEC will start enforcing the rule on Monday. Smaller companies are required to comply with the rule starting June 15, 2024.
The SEC’s efforts to require more transparency from businesses in the midst of a cyberattack will further underscore the scope and scale of malicious activity against publicly-traded companies.
The mandate will also catalyze the federal government’s efforts to learn more about ransomware attacks early, as most attacks go unreported and a lack of reporting hinders law enforcement’s ability to take action against threat actors.
“If we don’t get detailed, timely and accurate information as to these intrusions, we are not able to take actions on those,” a senior FBI official said last month in a media briefing about Scattered Spider.
A provision in the SEC rule permits the attorney general to grant a delay for 30 business days with an option to extend the filing deadline an additional 30 days. Under “extraordinary circumstances,” the attorney general can delay the disclosure another 60 business days due to substantial national security risks, the FBI said.
Victim organizations are encouraged to engage with the FBI, the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency or sector-risk management agencies prior to making a materiality determination.
Such communications won’t render the incident material but “it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay,” the FBI said.
A material cybersecurity incident triggering a disclosure to the SEC occurs when “there is substantial likelihood that a reasonable shareholder would consider it important” to their investment decisions, the FBI said in a summary.
Companies seeking a delay must contact the FBI and share details about when the incident occurred and when the organization deemed it material.
The FBI will document these requests, investigate potential impacts to national security and public safety, and consult with the Secret Service, CISA and SRMAs before referring delay requests to the Justice Department.
The DOJ and attorney general will issue a delay determination and communicate that decision in writing to the victim and the SEC, the FBI said.