Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

FBI Issues Guidance for Delaying SEC-Required Data Breach Disclosure 

The FBI has issued guidance for SEC data breach reporting requirements and how disclosures can be delayed.

The FBI has issued guidance regarding the data breach reporting requirements of the Securities and Exchange Commission (SEC), providing useful information on how disclosures can be delayed.

The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose, through a Form 8-K filing, any material breach within four business days. The rules are set to go into effect this month.

When it announced the new rules, the SEC noted that some companies may be exempt if there is substantial risk to public safety or national security.

The FBI has now provided some clarifications on this exemption, explaining that the Justice Department can grant a 30-day delay for national security or public safety reasons. The disclosure can be delayed for another 30 days, or 60 days in extraordinary circumstances involving national security, but the delays cannot exceed a total of 120 business days without an exemptive order from the SEC.

The FBI is accepting the delay requests on behalf of the Justice Department and organizations seeking to delay disclosure must follow certain procedures.

“If the FBI does not receive the delay request from the victim directly or through the US Secret Service (USSS), the Cybersecurity and Infrastructure Security Agency (CISA), or another sector risk management agency (SRMAs) concurrently with the materiality determination, the FBI won’t process the request,” the agency explained. 

It added, “In other words, failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied.  The FBI also encourages victims to engage with the FBI directly or through USSS, CISA, or SRMAs prior to making a materiality determination.”

While some applauded the SEC for its initiative when it announced the new rules, others raised concerns about the impact on investors and some warned that the disclosure rules could actually help cybercriminals. 

Advertisement. Scroll to continue reading.

Republican lawmakers filed a joint resolution last month in an effort to overturn the rules, but it has yet to pass the House or the Senate. 

Related: Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday

Related: Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

Delta Dental of California says over 6.9 million individuals were impacted by a data breach caused by the MOVEit hack.