The FBI has issued guidance regarding the data breach reporting requirements of the Securities and Exchange Commission (SEC), providing useful information on how disclosures can be delayed.
The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose, through a Form 8-K filing, any material breach within four business days. The rules are set to go into effect this month.
When it announced the new rules, the SEC noted that some companies may be exempt if there is substantial risk to public safety or national security.
The FBI has now provided some clarifications on this exemption, explaining that the Justice Department can grant a 30-day delay for national security or public safety reasons. The disclosure can be delayed for another 30 days, or 60 days in extraordinary circumstances involving national security, but the delays cannot exceed a total of 120 business days without an exemptive order from the SEC.
The FBI is accepting the delay requests on behalf of the Justice Department and organizations seeking to delay disclosure must follow certain procedures.
“If the FBI does not receive the delay request from the victim directly or through the US Secret Service (USSS), the Cybersecurity and Infrastructure Security Agency (CISA), or another sector risk management agency (SRMAs) concurrently with the materiality determination, the FBI won’t process the request,” the agency explained.
It added, “In other words, failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied. The FBI also encourages victims to engage with the FBI directly or through USSS, CISA, or SRMAs prior to making a materiality determination.”
While some applauded the SEC for its initiative when it announced the new rules, others raised concerns about the impact on investors and some warned that the disclosure rules could actually help cybercriminals.