In the US, the Federal Bureau of Investigation (FBI) has issued guidance regarding the data breach reporting requirements of the US Securities and Exchange Commission (SEC), providing useful information on how disclosures can be delayed. The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose, through a Form 8-K filing, any material breach within four business days. The rules are set to go into effect on 18 December 2023.
See: https://redskyalliance.org/xindustry/8-k-a-need-for-cyber-threat-intel
When it announced the new rules, the SEC noted that some companies may be exempt if there is substantial risk to public safety or national security. The FBI has now provided some clarifications on this exemption, explaining that the Justice Department can grant a 30-day delay for national security or public safety reasons. The disclosure can be delayed for another 30 days, or 60 days in extraordinary circumstances involving national security, but the delays cannot exceed a total of 120 business days without an exemptive order from the SEC.[1]
The FBI is accepting the delay requests on behalf of the Justice Department and organizations seeking to delay disclosure must follow certain procedures. “If the FBI does not receive the delay request from the victim directly or through the US Secret Service (USSS), the Cybersecurity and Infrastructure Security Agency (CISA), or another sector risk management agency (SRMAs) concurrently with the materiality determination, the FBI won’t process the request,” the agency explained. It added, “In other words, failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied. The FBI also encourages victims to engage with the FBI directly or through USSS, CISA, or SRMAs prior to making a materiality determination.”
While some applauded the SEC for its initiative when it announced the new rules, others raised concerns about the impact on investors and some warned that the disclosure rules could actually help cybercriminals.
See: https://www.sec.gov/files/33-11038-fact-sheet.pdf
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/fbi-issues-guidance-for-delaying-sec-required-data-breach-disclosure/
Comments