FBI explains how companies can delay SEC cyber incident disclosures

The FBI has published guidance on how companies can request a delay in disclosing cyber incidents to the Securities and Exchange Commission (SEC).

The document is a followup to new rules that the SEC approved in June requiring companies to quickly disclose “material” cybersecurity incidents and share the details of their cybersecurity risk management, strategy and governance with the commission on an annual basis.

Companies have to report issues to the SEC in 8-K filings within four business days unless the U.S. attorney general determines that disclosure would threaten national security or public safety. The FBI will be responsible for collecting delay request forms and passing the viable ones on to the Justice Department.

The rules take effect on December 18, but smaller companies will have an extra 180 days to comply. The FBI worked with the Department of Justice to create the guidance document for victims about how companies can “request disclosure delays for national security or public safety reasons.”

The bureau recommends “all publicly traded companies establish a relationship with the cyber squad at their local FBI field office” and “strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination.”

In a summary, the bureau explained that a “material cybersecurity incident” is defined as one in which “there is substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision.

Simply engaging with the FBI won’t trigger “materiality,” the bureau said.

“However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay. Please note that delay requests won't be processed unless they are made immediately upon a company’s determination of materiality.”

To request a delay, companies must email the FBI information about when the incident occurred and when the organization determined it was material. A failure to provide the exact date, time and time zone for the materiality determination “will cause your delay-referral request to be denied,” the FBI warned.

The message should include detailed information about what kind of cyberattack occurred, what the intrusion vectors are, what infrastructure or data was affected and how, the operational impact of the incident and whether there is confirmed attribution of the attack.

Companies will need to provide points of contact and information about whether it’s the first time they have submitted a delay-referral request.

“If yes, indicate when the Department of Justice made its last delay determination(s) for this incident, on what grounds, and for how long the Justice Department granted its delay,” the FBI said.

The FBI also wants companies to say in the email whether they have already been in contact with a local field office.

Since the rules were announced, there has been significant backlash from companies, industry organizations and others. Rep. Andrew Garbarino (R-NY) proposed legislation three weeks ago that would overturn them.

The rules immediately caused outrage from companies and lawmakers who questioned what the SEC meant when using the term “material cybersecurity incident” in light of the endless barrage of cyberattacks most large organizations face on a daily basis.

30 days, maybe 30 more

Under the rules, DOJ can grant a delay of public filing for 30 business days, with an option to delay for an additional 30.

In “extraordinary circumstances,” the department can delay for an additional 60 business days due to substantial national security (but not public safety) risks, the FBI said.

The delays cannot exceed 120 business days without an exemptive order from the SEC.

The FBI is the agency responsible for intaking the delay requests on behalf of the DOJ, documenting each one, “coordinating checks of U.S. government national security and public safety equities” and ultimately referring the information to the Justice Department.

The bureau reiterated that if a company does not make the delay request alongside the determination of whether the attack was “material,” the FBI will not process it.

“In other words, failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied,” they explained.

“After the FBI makes a referral based on equities checks and fact-finding procedures, DOJ will issue a delay determination. This determination will be communicated in writing concurrently to the victim and the SEC. If DOJ approves the delay request, the FBI should invite the victim to submit any requests for delay extensions to the Bureau. An email address where victims can submit such requests is forthcoming.”

DOJ and FBI officials said at the Aspen Digital Conference last month that they will evaluate disclosure delay requests based on the industry of the victim, the type of vulnerability exploited for initial access and the type of attacker.

“If it's something like a zero-day and a nation-state, we're probably more to lean towards potentially having a concern about that disclosure in terms of the national security risk benefit versus a sort of run-of-the-mill phishing attack,” said Department of Justice deputy assistant attorney general Eun Young Choi.

“Those are sort of case-by-case determinations that we're going to have to make.”

She urged companies to come forward to the FBI and DOJ even before they have made the determination of whether it is a “material incident” so that officials can help them understand whether it is or is not.

Bryan Vorndran, assistant director of the FBI’s Cyber Division, added that companies should not be concerned about the FBI or DOJ reporting them to the SEC, noting that the FBI has “no role” in the relationship between a company and their regulator.

"We will get calls in our field offices at times and the SEC will say, ‘Hey, we have questions for the victimized organization. Can you let me know when your team and your folks are off site and at that time we'll engage with the victim just so that they don't have to engage with the FBI and SEC at the same time?’” he said.

“That's generally the magnitude of the overlap between us and the SEC — as a logistics coordination role after or before but not at the same time."