TheCorporateCounsel.net

The SEC’s cyber disclosure rules mandating Form 8-K disclosure of material cybersecurity incidents go into effect on December 18th. New Item 1.05 of Form 8-K allows companies to defer disclosure for a time if the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The rules don’t specify how companies are supposed to bring this issue to the Attorney General’s attention, but the FBI has recently weighed in with guidance to public companies on how to do that.

The guidance provides that written notice be delivered to the FBI or another appropriate agency through a dedicated email address that will be established soon, and says that the notice must address the following questions:

1. What is the name of your company?
2. When did the cyber incident occur?
3. When did you determine the cyber incident is material, per 88 Fed. Reg. 51896? Include the date, time, and time zone. (Note: Failure to report this information immediately upon determination will cause your delay-referral request to be denied.)
4. Are you already in contact with the FBI or another U.S. government agency regarding this incident? If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom you’re in contact.
5. Describe the incident in detail. Include the following details, at minimum:

a. What type of incident occurred?
b. What are the known or suspected intrusion vectors, including any identified vulnerabilities if known?
c. What infrastructure or data were affected (if any) and how were they affected?
d. What is the operational impact on the company, if known?

6. Is there confirmed or suspected attribution of the cyber actors responsible?
7. What is the current status of any remediation or mitigation efforts?
8. Where did the incident occur? Provide the street address, city, and state where the incident occurred.
9. Who are your company’s points of contact for this matter? Provide the name, phone number, and email address of personnel you want the FBI to contact to discuss this request.
10. Has your company previously submitted a delay referral request or is this the first time? If you have previously submitted a delay request, please include details about when DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay (if applicable).

In an announcement accompanying the guidance, the FBI urges all public companies to establish a relationship with the cyber squad at their local FBI office. The FBI also “strongly encourages” companies to contact it directly or through the Secret Service, CISA, or another sector risk management agency soon after it believes disclosure of a newly discovered incident may pose a substantial risk to national security or public safety. The FBI says that this early outreach will enable it to familiarize itself with the relevant facts & circumstances before a materiality determination is made by the company.

– John Jenkins