On December 18th, the SEC’s new 4-day rule for “material” cybersecurity incident disclosure takes effect, and as the FBI will be responsible for collecting and assessing delay requests along with the DoJ, they have published guidance for companies hoping to apply.
The document explains that companies may “request disclosure delays for national security or public safety reasons” by emailing the FBI the following information:
- When the incident occurred
- When the organization determined it was material
- What kind of cyberattack occurred
- What the intrusion vectors are
- What infrastructure or data was affected
- How infrastructure or data was affected
- Operational impact of the incident
- Whether there is confirmed attribution of the attack
- Whether they have already been in contact with a local field office
- Points of contact
- Information about whether it’s the first delay-referral request
A failure to provide the exact date, time and time zone for the materiality determination and if a delay request is not made alongside the determination of whether the attack was “material,” the delay-referral request will be denied.
After the FBI makes a referral, the DoJ will issue a delay determination and can grant a delay of public filing for 30 business days, with an option to delay for an additional 30 and in “extraordinary circumstances,” for an additional 60 business days due to substantial national security (but not public safety) risks, the FBI said.
Troy Batterberry, CEO and Founder, EchoMark had this to say:
“The current SEC disclosure rules, while well intentioned to keep investors informed, fail to comprehend the complexity of dealing with such events as they emerge. Prematurely disclosing information can help assist the very criminal(s) involved and make the situation even worse for the victim and their respective investors. Such situations are not just limited to national security.”
Clearly there’s some need to nuance these rules. But I am glad that they exist as they make cybercrime way less profitable for cybercriminals. Not to mention giving the public more transparency in term of companies who get pwned.
UPDATE: George McGregor, VP, Approov Mobile Security added this:
“With the new SEC reporting guidelines as well as the EU Cyber Resiliency Act 24 hour breach reporting requirement coming into force, companies are having to scramble to be able to quickly report breaches.
“The process to request a delay by the FBI is welcome, and will take some of the pressure off. Companies are struggling to balance limited investments, and what we don’t want to see is a focus on regulatory reporting to the detriment of spending on upstream cyber defense techniques.”
Like this:
Like Loading...
Related
This entry was posted on December 11, 2023 at 12:17 pm and is filed under Commentary with tags FBI. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
FBI Offers Disclosure Delay Request Guidance Ahead Sf SEC 4-Day Rule Debut
On December 18th, the SEC’s new 4-day rule for “material” cybersecurity incident disclosure takes effect, and as the FBI will be responsible for collecting and assessing delay requests along with the DoJ, they have published guidance for companies hoping to apply.
The document explains that companies may “request disclosure delays for national security or public safety reasons” by emailing the FBI the following information:
A failure to provide the exact date, time and time zone for the materiality determination and if a delay request is not made alongside the determination of whether the attack was “material,” the delay-referral request will be denied.
After the FBI makes a referral, the DoJ will issue a delay determination and can grant a delay of public filing for 30 business days, with an option to delay for an additional 30 and in “extraordinary circumstances,” for an additional 60 business days due to substantial national security (but not public safety) risks, the FBI said.
Troy Batterberry, CEO and Founder, EchoMark had this to say:
“The current SEC disclosure rules, while well intentioned to keep investors informed, fail to comprehend the complexity of dealing with such events as they emerge. Prematurely disclosing information can help assist the very criminal(s) involved and make the situation even worse for the victim and their respective investors. Such situations are not just limited to national security.”
Clearly there’s some need to nuance these rules. But I am glad that they exist as they make cybercrime way less profitable for cybercriminals. Not to mention giving the public more transparency in term of companies who get pwned.
UPDATE: George McGregor, VP, Approov Mobile Security added this:
“With the new SEC reporting guidelines as well as the EU Cyber Resiliency Act 24 hour breach reporting requirement coming into force, companies are having to scramble to be able to quickly report breaches.
“The process to request a delay by the FBI is welcome, and will take some of the pressure off. Companies are struggling to balance limited investments, and what we don’t want to see is a focus on regulatory reporting to the detriment of spending on upstream cyber defense techniques.”
Share this:
Like this:
Related
This entry was posted on December 11, 2023 at 12:17 pm and is filed under Commentary with tags FBI. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.