FBI to Evaluate Bids to Delay Reporting Cybersecurity Events

The FBI outlined procedures for publicly traded companies to invoke a delay in reporting material cybersecurity incidents to investors as required under rules approved earlier this year by the U.S. Securities and Exchange Commission.

See Also: Securing Your Business Begins with Password Security

Federal regulators mandated that, starting Dec. 18, companies listed on stock market exchanges must determine whether a cyber incident is “material,” and if so, disclose it within four business days. Small businesses have until June 15 to comply with the rule (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

The SEC added a reporting extension for incidents that could affect public safety or national security after reading comments submitted during the rule proposal stage, a SEC official said at the time.

In a Wednesday public notice, the bureau said it will start investigating the public safety or national security repercussions of an incident with two hours of receiving a request, whether directly from the victim or through another government agency, such as the Cybersecurity and Infrastructure Security Agency.

The Department of Justice ultimately will make the decision whether to postpone public notification. The rule gives companies a pause of up to 60 business days for most risks but “in extraordinary circumstances,” up to 120 business days for a substantial national security risk. Any delay longer than that would require an order from the SEC.

The final rule defines a material incident as one in which “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision. An incident that significantly alter the “total mix” of public information also counts. In case of doubt, federal regulators said, companies should choose to disclose an incident.

The FBI said a request for an extension must be made immediately after determining an incident’s materiality. “Failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied,” the bureau’s website says.

The FBI recommends that “all publicly traded companies establish a relationship with the cyber squad at their local FBI field office.”

An SEC official recently told a New York City audience that the rule was necessary, since “investors really don’t have a good picture into what losses companies may face from cybersecurity incidents” (see: SEC Aims to Avoid Cyber Disclosure Rule ‘Compliance Burdens’).