FBI Guidance to Victims of Cyber Incidents
on SEC Reporting Requirements
The Securities and Exchange Commission's new requirements for companies to disclose material cybersecurity incidents take effect on December 18, 2023. The FBI, in coordination with the Department of Justice, is providing guidance on how victims can request disclosure delays for national security or public safety reasons. The FBI recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office.
You can click on the buttons at the bottom of this page to read guidance on requesting a delay and providing necessary information to the FBI, to view the SEC Rule, to view the Justice Department's material cybersecurity incident delay determinations guidelines, and to read the FBI’s Policy Notice about how victim requests are processed.
The FBI strongly encourages companies to contact the FBI directly or through the U.S. Secret Service (USSS), another federal law enforcement agency, the Cybersecurity and Infrastructure Security Agency (CISA), or another sector risk management agency soon after a registrant believes disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination. If the victim of a cyber intrusion engages with the FBI or another U.S. government agency, this engagement doesn't trigger a determination of materiality. However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay.
Please note that delay requests won't be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.