The FBI is outlining how its agents will handle requests from publicly traded companies that want to delay having to disclose a cybersecurity incident under the new controversial Securities and Exchange Commission (SEC) rules that take effect next week.

The SEC finalized the rules in July, with a key requirement being that companies listed on the stock market, once they’ve determined that a cyber-incident is “material,” have four days to publicly disclosed the details. The rules go into action December 18, though smaller companies have until mid-June to start complying.

One role the FBI will play is fielding requests from companies to delay disclosing an event, with the SEC saying such delays can be granted if disclosures would risk national security or public safety.

To help companies prepare for the new rules, the FBI this month issued a seven-page public notice detailing how the law enforcement agency will handle requests to delay disclosure for at least 30 days, though such delays can’t be more than 120 days. The Attorney General’s Office makes the final decision on a delay request.

Taking In Disclosure Delay Requests

The FBI is responsible for taking in and documenting the requests, checking the government’s national security and public safety regulations, and referring the information to the Justice Department. An agent will start investigating whether disclosing the incident would be a national security or public safety issue within two hours of receiving the delay request either directly from the victim or from a U.S. agency, such as the Cybersecurity and Infrastructure Security Agency (CISA) or the Secret Service.

The company sustaining the cyberattack needs to make the request for delay at the same time it determines that the incident is “material” in nature. The SEC defines a material cybersecurity incident as one where “there is substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision.

The FBI also urged companies to reach out to the FBI before determining whether an incident is a material one and soon after believing that disclosure of an attack poses a national security or public safety risk.

“This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination,” the agency wrote, adding that “if the victim of a cyber intrusion engages with the FBI or another U.S. government agency, this engagement doesn’t trigger a determination of materiality.”

However, could help with the FBI’s review of the disclosure delay request, the FBI wrote.

Rules Spark Debate

The SEC created the rules to bring uniformity to how and when public companies disclose cybersecurity incidents. In a statement in July announcing the new regulations, SEC Chair Gary Gensler said that “currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Gensler added that “through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Companies will have to disclose the incidents in their Form 8-K submissions within four days of determining they are material. In addition, they’ll need to outline their cybersecurity management and strategy.

Global consultancy PcW said that with the new disclosure rules, “the SEC puts the onus on companies to give investors current, consistent and ‘decision-useful’ information about how they manage their cyber risks.”

What Is ‘Material’?

The new rule has gotten pushback from companies, including on how to define whether an incident is material. In addition, organization like the U.S. Chamber of Commerce, which in July called the regulation “overreach” by the SEC.

Christopher Roberti, senior vice president for cyber, space, and national security policy at the organization, said in a statement that the Cyber Incident Reporting for Critical Infrastructure Act of 2022 already addressed the issue and that the new rule “sharply diverges from that mandate and the President’s National Cybersecurity Strategy, jeopardizing a needed confidential reporting strategy and harming cyber incident victims before they can remediate incidents.”

There also is ample debate online. In one conversation on Reddit, an individual said he had been worried about such government intervention.

The “SEC, who knows nothing about Cybersecurity is now forcing changes on best practices,” the writer wrote. “I know the SEC wants to protect investors, but they should make it a 3 month requirement. 3 Months is standard for public company financial disclosure and allowing a company’s Cybersecurity teams to do a thorough investigation on incidents.

Another wrote that “four days after the target determines it to be material is a loophole the size of a barn honestly. Hopefully this will do some good but I’m not optimistic.”