Here’s news all you cybersecurity compliance professionals can use: the Justice Department has published guidance on how public companies can seek a national security exemption from the Securities and Exchange Commission’s new rules for expanded disclosure of cybersecurity incidents.
As you may recall, the SEC adopted those new rules in July, and they go into effect starting next week. This means companies will need to start disclosing “material cybersecurity incidents” within four days of deciding that an attack was indeed material — unless disclosing the attack might undermine national security or law enforcement objectives. Say, when disclosing the attack might alert the attackers that you know about a spyware incident, when law enforcement is quietly trying to apprehend them.
The SEC rules only spoke of an ability to “petition” the attorney general’s office to win one or more extensions from that four-day disclosure window, without much detail on exactly how a company might do that. (“Press 1 to voluntarily self-disclose an FCPA violation. Press 2 to ask for an extension on a cybersecurity disclosure…”)
Now the Justice Department has published seven pages’ worth of guidance on how to request said extensions.
Basically, you call the FBI.
In conjunction with the Justice Department’s guidance, the FBI released companion instructions on how to request an extension. Filers that want an exemption from the SEC’s four-day window are supposed to start with the FBI, and the bureau warns that extension requests “won’t be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8-K.” Be warned, the bold-face and underline are emphasis original.
Companies are supposed to submit their extension requests via email either to the FBI — “through a dedicated email address that is coming soon,” the FBI says, which is ridiculous given that these rules are five months old — or to the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency, the Department of Defense, or “another sector risk management agency.”
The FBI then lists 10 questions that your extension request should explain, including:
- When did the cyber incident occur?
- When did you determine the cyber incident is material? Include the date, time, and time zone. (Note: Failure to report this information immediately upon determination will cause your delay-referral request to be denied.)
- Are you already in contact with the FBI or another U.S. government agency regarding this incident?
- Is there confirmed or suspected attribution of the cyber actors responsible?
- What is the current status of any remediation or mitigation efforts?
Again, that bold-faced warning about immediate submission is in the original text. That’s because if you want the extension, you must submit it and the department must evaluate it within that four-day window required by the SEC rule. “As such,” the guidance says, “it is important that the registrant provide to the FB… as soon as possible, even beginning well before the registrant has completed its materiality analysis or its investigation into the incident.”
Once the Request Is Submitted
Alas, the Justice Department guidance doesn’t say much about exactly how the attorney general (or, presumably, those acting on the AG’s authority) will evaluate extension requests. The FBI will refer your request to the AG’s office, and that referral will include the FBI’s assessment of whether the extension should be granted — but beyond that, we on the outside don’t know much about how decisions are made on the inside.
That said, the guidance does include a warning that those hoping for an extension should not hold their breaths:
The primary inquiry for the department is whether the public disclosure of a cybersecurity incident threatens public safety or national security, not whether the incident itself poses a substantial risk to public safety and national security. While cybersecurity incidents themselves frequently threaten public safety and national security, the disclosure to the public that those incidents have occurred poses threats less often. In many circumstances, the prompt public disclosure of relevant information about a cybersecurity incident provides an overall benefit for investors, public safety, and national security.
So I would not get my hopes up, unless law enforcement has already told you it believes an extension serves some law enforcement purpose.
When the Justice Department decides in favor of an extension, it will inform both you and the SEC in writing, and will specify how long the extension is; you can get an extension for as many as 30 days, but not necessarily the full 30. Also, the department might decide to give you an extension on some details, such as the nature of the attack, but require immediate disclosure of other details (say, when it happened).
If the department decides against an extension, only you get notified. No mention of an appeals process if you don’t like the ruling.
If you do score a 30-day extension, you can then request more extensions after that: first another 30-day delay, then a 60-day delay, and a “final additional” delay of another 60 days. In all cases, you’ll need to demonstrate a substantial threat to national security is ongoing, and submit those requests at least five business days before the extension expires.
Your Cyber Materiality Process
Compliance, audit, and cybersecurity professionals need to keep two points in mind here.
First is the importance of a rigorous process to assess cyber materiality. We’ve talked about this before, as recently as last month. Your company will need to be able to assess both the quantitative and qualitative materiality of cyber incidents — and improvising assessment processes in the heat of an attack is decidedly unwise. So assemble the relevant executives within your enterprise (general counsel, CFO, privacy officer, IT director, internal audit chief, and so forth) to define your materiality thresholds and the methods you’ll use to assess attacks against those criteria.
Second, however, is the importance of collecting evidence during that materiality assessment — because as soon as you do conclude that an event is material, and that you want an extension on disclosing the incident, the Justice Department expects an immediate request. And that request, per the FBI’s submission form, asks for an extensive amount of information. That is not the time to double-check with your forensics team that you’ve recorded all data correctly, or to ask legal whether submitting the data might somehow violate data privacy rules in some other jurisdiction.
Ideally, your process to gather and assess data about materiality also preserves all that information for any extension submission you want to file. It should all be one seamless procedure, guided by a GRC tool that acts as the fabled single source of truth and reporting processes that immediately pluck out the relevant data for a report, then emailed off to the FBI.
Assuming the FBI ever does actually get its own email address to accept those submissions. Still can’t believe that isn’t up and running already.