This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
With the Dec. 18 effective date of the U.S. Securities and Exchange Commission’s (SEC) cyber incident reporting rules looming, federal officials have offered guidance on when it may approve delays in the interest of national security.
The SEC cyber rules, adopted this past July, give publicly traded companies four days to disclose the occurrence of a “material” cyber event via regulatory filing. The U.S. Department of Justice and the FBI gave examples of scenarios that may warrant delay.
“The primary inquiry for the Department is whether the public disclosure of a cybersecurity incident threatens public safety or national security, not whether the incident itself poses a substantial risk to public safety and national security,” stated the Justice Department. “While cybersecurity incidents themselves frequently threaten public safety and national security, the disclosure to the public that those incidents have occurred poses threats less often.”
These “limited circumstances” would apply to cases in which a company “reasonably” suspects the event occurred because of a tactic with no known mitigation—for example, an as-yet-unpatched software vulnerability.
Another example given included impacts to events impacting systems containing sensitive government information.
“This category includes systems operated or maintained for the government as well as systems not specifically operated or maintained for the government that contains information the government would view as sensitive, such as that regarding national defense or research and development performed pursuant to government contracts,” said the Department. It also highlighted events involving public companies performing remediation efforts for critical infrastructure or critical systems.
The FBI “strongly” encouraged companies to quickly contact federal officials as soon as they determine an event could threaten national security or public safety.
“This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination,” said the agency. “If the victim of a cyber intrusion engages with the FBI or another U.S. government agency, this engagement doesn’t trigger a determination of materiality. However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay.”