A week before contentious new breach-disclosure regulations take effect, authorities have outlined the process U.S. public companies will need to follow if they want to delay reporting a particular attack.
From Dec. 18, publicly traded companies that suffer a “material” cyberattack are required to file details with the Security and Exchange Commission (SEC) within four working days.
The new rule is aimed at increasing transparency and ensuring attacks are dealt with in a standardized fashion. But critics say it imposes an unrealistic timeframe and adds unnecessary demands onto an already strained cybersecurity workforce.
Under the rule, details must be publicly filed on the SEC’s ubiquitous 8-K form that is well known to anyone who researches listed companies. Filing can be deferred, however, if the Department of Justice (DOJ) is satisfied withholding the information is merited on national security or public safety grounds.
Last week, the FBI published guidelines on the reporting requirements, along with a policy notice setting out its role as the agency responsible for dealing with victim companies wanting to delay filing an 8-K after a cyberattack.
One concern amongst information security professionals relating to the new rule has been uncertainty about what constitutes a “material” event that triggers the four-day reporting requirement.
According to the FBI’s guidelines, a cybersecurity incident would be considered material if “there is substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision.
In the guidelines, the FBI said its role was to receive and review a company’s request for a reporting delay, which it would then pass on to the DOJ.
"Extraordinary circumstances" would delay breach disclosure with SEC
If it determined keeping the details of an attack was justified, the DOJ could grant an initial 30-day public filing delay, with an option to delay for a further 30 days after that. In “extraordinary circumstances” the delay could be extended by a further 60 days if there were “substantial” national security risks. Any additional delays required an exemptive order from the SEC.
While it was up to the victim company to determine if an attack it suffered was material, the FBI said it recommended public companies establish a relationship with the cyber squad at their local FBI field office.
“The FBI also strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination.”
The bureau said it would only process a delay request if it was made at the same time as the company determined it was dealing with a material incident. If the company did not immediately report the breach as soon as it was determined to be material, the FBI would not action the delay-referral request.