FBI Guidance to Victims of Cyber Incidents
on SEC Reporting Requirements: FBI Policy Notice Summary
A summary of the FBI’s Policy Notice regarding cyber victim requests to delay Securities and Exchange Commission-mandated public disclosures is, as follows:
- As per the SEC requirement, if a registrant experiences a cybersecurity incident that the registrant determines to be material, the registrant must disclose certain facts about that incident.
- The SEC defines “cybersecurity incident” to mean “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
- The SEC’s order adopting the rule says the following about the meaning of “material:”
- “[I]nformation is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the "total mix" of information made available.'"
- "'Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.”
- Once a company makes a materiality determination, the company has four business days to publicly disclose the incident by filing a SEC Form 8-K in Edgar, the SEC’s publicly accessible and widely searched filing platform.
- The SEC included a provision—Item 1.05(c)—that allows the Department of Justice to determine if a delay in publicly filing the 8-K form is merited for reasons of national security or public safety.
- The rule permits the Justice Department to grant a delay of public filing for 30 days, with an option to delay for an additional 30 days. In “extraordinary circumstances,” DOJ can delay for an additional 60 days due to substantial national security (but not public safety) risks.
- Delays cannot exceed a total of 120 days (or 60 days in instances that solely relate to public safety) without an exemptive order from the SEC.
- The FBI is responsible for:
- Intaking delay requests on behalf of DOJ
- Documenting those requests
- Coordinating checks of U.S. government national security and public safety equities, including consulting with the U.S. Secret Service (USSS), Cybersecurity and Infrastructure Security Agency (CISA), and sector risk management agencies (SRMAs) as appropriate.
- Referring information to DOJ
- The FBI encourages victims to engage with the FBI directly or through the USSS, CISA, or SRMAs prior to the company’s determination to disclose details of a cyber incident via an SEC Form 8-K.
- If the FBI doesn't receive the delay request from the victim directly or through the USSS, another law enforcement agency, CISA, or another SRMA immediately upon this determination, the FBI won't process the request.
- In other words, failure to report the cyber incident immediately upon this determination will cause a delay-referral request to be denied.
- After the FBI makes a referral based on equities checks and fact-finding procedures, DOJ will issue a delay determination. This determination will be communicated in writing to the victim and the SEC.
- If DOJ approves the delay request, the FBI should invite the victim to submit any requests for delay extensions to the FBI by filling out the form located at sec8k.ic3.gov.
- Please note this summary is written for convenience only and isn't intended to replace or supersede the FBI’s Policy Notice.