FBI Offers Guidance on SEC Reporting Requirements for Cyber Incidents

In anticipation of the Securities and Exchange Commission's (SEC) upcoming requirements for companies to disclose material cybersecurity incidents, the Federal Bureau of Investigation (FBI), in collaboration with the Department of Justice, is providing crucial guidance for victims of cyber incidents. With the SEC's new rules set to take effect on December 18, 2023, the FBI aims to assist companies in navigating these reporting requirements, particularly in scenarios involving national security or public safety concerns.

The FBI strongly advises all publicly traded companies to establish a proactive relationship with the cyber squad at their local FBI field office. This relationship is deemed essential for effective communication and collaboration in the event of a cybersecurity incident. To facilitate this process, the FBI has provided guidance on requesting disclosure delays and outlining the necessary information that victims should provide to the agency.

Companies seeking assistance are encouraged to reach out to the FBI directly or engage with the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency (CISA), or other sector risk management agencies. Early communication is vital, especially when a registrant believes that the disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety.

Engaging with the FBI or another U.S. government agency during the initial stages of a cyber intrusion does not automatically trigger a determination of materiality. Instead, it allows the FBI to familiarize itself with the details surrounding the incident, aiding in the review process if the company later determines the incident to be material and seeks a disclosure delay.

To assist victims in this process, the FBI has outlined specific steps for requesting a delay and providing necessary information. These resources, along with the SEC Rule and the FBI’s Policy Notice detailing how victim requests are processed, are accessible through buttons provided in the official press release.

It is crucial for companies to note that the FBI will only process delay requests if they are promptly submitted upon the company's determination to disclose a cyber incident via the 8k filing process. This emphasizes the importance of swift and timely communication between affected entities and law enforcement to ensure a coordinated and effective response to cyber threats. The FBI's guidance underscores the collaborative effort required to navigate the evolving landscape of cybersecurity and maintain the integrity of the financial markets.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.