In 2023, the Securities and Exchange Commission (SEC) published rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (88 Fed. Reg. 51896) requiring certain companies ("registrants") to disclose material cybersecurity incidents. The FBI, in coordination with the Department of Justice, is providing guidance on how victims can request related disclosure delays for national security or public safety reasons. The FBI recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office. 

Click on the buttons at the bottom of this page to read the guidance on requesting a delay and providing necessary information to the FBI, to view the SEC rules, to view the Justice Department's guidelines on material cybersecurity incident delay determinations, and to read the FBI’s Policy Directive about how victim requests are processed.    

The FBI strongly encourages companies to contact the FBI directly or through the U.S. Secret Service (USSS), another federal law enforcement agency, the Cybersecurity and Infrastructure Security Agency (CISA), or another sector risk management agency soon after a registrant believes disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination. If the victim of a cyber intrusion engages with the FBI or another U.S. government agency, this engagement doesn't trigger a determination of materiality. However, it could assist with the FBI’s review if the company determines that a cybersecurity incident is material and seeks a disclosure delay.   

Please note that delay requests won't be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.