Skip to main content
close search
site logo

FBI to field SEC cyber incident disclosure delay requests

Publicly-traded companies can request incident disclosure delays, but the bar is high. A filing would have to pose a significant threat to public safety or national security.

Published Dec. 12, 2023
Matt Kapko's headshot
Senior Reporter
The front of the agency headquarters, reading "United States Security and Exchange Commission" and the number 450 as a man walks in a glass door at the bottom left of the frame.
A man enters the U.S. Securities and Exchange Commission building March 9, 2001 in Washington, DC. Mark Wilson/Newsmakers via Getty Images

The FBI is taking the lead on fielding publicly-traded companies’ requests to delay the disclosure of material cybersecurity incidents to the Securities and Exchange Commission.

The agency last week published its policies for documenting disclosure delay requests. It also detailed the circumstances under which delays might be granted if a public filing would pose a significant threat to public safety or national security under the SEC rule.

Businesses, starting Monday, are required to disclose every material cybersecurity incident to the SEC in 8-K filings within four business days of determining material impact.

The rule took effect Sept. 5 and the SEC will start enforcing the rule on Monday. Smaller companies are required to comply with the rule starting June 15, 2024.

The SEC’s efforts to require more transparency from businesses in the midst of a cyberattack will further underscore the scope and scale of malicious activity against publicly-traded companies.

The mandate will also catalyze the federal government’s efforts to learn more about ransomware attacks early, as most attacks go unreported and a lack of reporting hinders law enforcement’s ability to take action against threat actors.

“If we don’t get detailed, timely and accurate information as to these intrusions, we are not able to take actions on those,” a senior FBI official said last month in a media briefing about Scattered Spider.

A provision in the SEC rule permits the attorney general to grant a delay for 30 business days with an option to extend the filing deadline an additional 30 days. Under “extraordinary circumstances,” the attorney general can delay the disclosure another 60 business days due to substantial national security risks, the FBI said.

Victim organizations are encouraged to engage with the FBI, the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency or sector-risk management agencies prior to making a materiality determination.

Such communications won’t render the incident material but “it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay,” the FBI said.

A material cybersecurity incident triggering a disclosure to the SEC occurs when “there is substantial likelihood that a reasonable shareholder would consider it important” to their investment decisions, the FBI said in a summary.

Companies seeking a delay must contact the FBI and share details about when the incident occurred and when the organization deemed it material.

The FBI will document these requests, investigate potential impacts to national security and public safety, and consult with the Secret Service, CISA and SRMAs before referring delay requests to the Justice Department.

The DOJ and attorney general will issue a delay determination and communicate that decision in writing to the victim and the SEC, the FBI said.

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell