Starting December 18, 2023, publicly traded companies in the US will be required to disclose material cybersecurity incidents to the Securities and Exchange Commission (SEC). If an organization determines a cyber incident is “material,” the event must be disclosed within four business days. The FBI, working with the Department of Justice, has released guidance for companies seeking to delay disclosure for national security or public safety reasons.
This new regulation aims to increase transparency and improve investor protection in the wake of rising cyber threats. However, companies may request a delay in disclosure if they believe it could jeopardize national security or harm public safety. The FBI emphasizes that requests for delay must be made immediately upon determining the materiality of the incident.
The FBI also encourages companies to build relationships with their local FBI field office and report cyber incidents promptly. This allows the FBI to investigate the incident and assess potential risks before the company makes a materiality determination. While contacting the FBI does not trigger materiality, it can be beneficial for companies seeking a delay in disclosure.
Source: FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements
Other News: New SEC Rules: Impact on Cyber Insurance Industry(Opens in a new browser tab)