The FBI has issued guidance for publicly traded companies on how to request a delay in public disclosure of a cyber incident under the Security and Exchange Commission’s disclosure rule if the incident poses a national security or public safety risk. Under the rule, companies must determine whether each cybersecurity incident they experience is a “material cybersecurity incident,” which would require them to publicly disclose the incident to the SEC within four business days of the determination. The rule allows the Justice Department to delay disclosure for up to 60 days in cases where the incident poses a public safety risk, and up to 120 days for national security risks.
Requests for disclosure delays must be filed with the FBI, which transmits the request to the Justice Department for review. If the victim of the cyber incident doesn’t make the delay request to the FBI concurrently with filing the materiality determination, the FBI won’t process the request, according to the guidance. The FBI also is encouraging victims to engage with it before making a materiality determination.
The American Bankers Association and other industry associations have expressed concern that the SEC rule would expose businesses targeted by cyberattacks to further attacks by making cyber incident information public. Rep. Andrew Garbarino (R-N.Y.) and Sen. Thom Tillis (R-N.C.) in November introduced a resolution of disapproval that would overturn the rule if the legislation is adopted by both chambers of Congress and signed by the president.