The FBI has released guidelines for publicly traded companies regarding the reporting of material cybersecurity incidents, in accordance with rules set by the U.S. Securities and Exchange Commission (SEC). As of December 18, companies listed on stock exchanges must assess the materiality of cyber incidents and disclose them within four business days, with provisions for reporting extensions in cases affecting public safety or national security, subject to Department of Justice evaluation. Small businesses have until June 15 to comply with these regulations, which aim to enhance transparency and expedite disclosure of cybersecurity events to investors.
The SEC’s ruling emphasizes the importance of promptly reporting material incidents, defining them as those with a substantial likelihood of influencing a reasonable shareholder’s investment decision or significantly altering the total mix of public information. The FBI’s public notice outlines the process for investigating the public safety or national security implications of an incident, with a decision-making timeline that begins within two hours of receiving a request. The Department of Justice is responsible for deciding whether to postpone public notification, allowing companies a pause of up to 60 business days for most risks and up to 120 business days in extraordinary circumstances involving substantial national security risks. Extensions beyond this period would require SEC approval.
To ensure a seamless process, the FBI recommends that publicly traded companies establish a relationship with the cyber squad at their local FBI field office. The urgency of immediate reporting upon determining materiality is emphasized, as any delay may result in the denial of a delay-referral request. The SEC’s move to enforce these reporting rules reflects a broader effort to provide investors with clearer insights into the potential losses that companies may face due to cybersecurity incidents. The regulations aim to strike a balance between transparency and the need to protect public safety and national security, with the FBI playing a crucial role in evaluating and responding to requests for reporting delays.
