A summary of the FBI’s Policy Directive regarding cyber victim requests to delay disclosure pursuant to the Securities and Exchange Commission's rules and Department of Justice (DOJ) guidance is, as follows:

• As per the Securities and Exchange Commission (SEC) requirement, if a registrant experiences a cybersecurity incident that the registrant determines to be material, the registrant must disclose certain facts about that incident.
  • The SEC defines “cybersecurity incident” to mean “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” 
• Once a company makes a materiality determination, the company has four business days to disclose the incident by filing a SEC Form 8-K Item 1.05 in the SEC’s publicly accessible Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.
• The SEC rules included a provision—Item 1.05(c)—that allows the DOJ Attorney General to grant a disclosure delay based on substantial risk to national security or public safety. 
• A delay may be granted for up to 30 days. If the Attorney General determines that disclosure continues to pose a substantial risk to national security, the disclosure delay may be extended for an additional period of up to 30 days. In extraordinary circumstances, the Attorney General may extend the disclosure delay an additional 60 days due to substantial national security risks.
• Delays cannot exceed a total of 120 days (or 60 days in instances that solely relate to public safety) without an exemptive order from the SEC. 
• The FBI is responsible for: 
  • Intaking delay requests on behalf of DOJ  
  • Documenting those requests 
  • Coordinating checks of U.S. government national security and public safety equities, including consulting with the U.S. Secret Service (USSS), Cybersecurity and Infrastructure Security Agency (CISA), and sector risk management agencies (SRMAs) as appropriate
  • Referring information to the DOJ 
• The FBI encourages victims to engage with the FBI directly or through the USSS, CISA, or SRMAs prior to the company’s determination to disclose details of a cyber incident via an SEC Form 8-K Item 1.05. 
  • If the FBI doesn't receive the delay request from the victim directly or through the USSS, another law enforcement agency, CISA, or another SRMA immediately upon this determination, the FBI won't process the request.
  • In other words, failure to report the cyber incident immediately upon this determination will cause a delay-referral request to be denied.   
• After the FBI makes a referral based on equities checks and fact-finding procedures, the Justice Department will issue a delay determination. This determination will be communicated in writing to the victim and the SEC. 
• If DOJ approves the delay request, the FBI should invite the victim to submit any requests for delay extensions to the FBI by filling out the form located at sec8k.ic3.gov. Requests for delay extensions should be submitted no later than five business days before the expiration of a granted delay.
• Please note this summary is written for convenience only and isn't intended to replace or supersede the FBI’s Policy Directive.