The Department of Justice has outlined conditions under which firms can delay the reporting of cyber attacks following recent requirements set out by the Securities and Exchange Commission (SEC). As part of securities laws, American business entities are obliged to report any cyber attack incidents that could potentially have a significant impact on their business operations and financial condition to the SEC. However, there are exceptions to this rule:
- Firms are not required to disclose the incident if the Attorney General has determined that such a disclosure could compromise public safety or national security.
- If a company requests a delay in reporting a cyber attack, the Federal Bureau of Investigation (FBI) will review the request within four business days. A senior Justice Department official will subsequently decide whether to approve the delay.
According to senior officials, there are certain scenarios where a business might be permitted to delay cyber attack reports. These could include cases where the cyber attack technique used does not have a known solution, such as a software vulnerability without a patch available. Furthermore, if the attacked company holds sensitive government information, or works on critical infrastructure, and public disclosure may potentially lead to other attacks or hinder efforts to deal with the issue, then the firm may be allowed to delay reporting.
The initial delay for reporting a cyber attack is set at 30 days, but this can potentially be extended to 120 days if the Attorney General determines that disclosure could significantly threaten national security. However, senior Justice Department officials have stated that they expect requests for reporting delays to be rare, given the stringent criteria needed to qualify.
The new SEC rule, and ensuing Justice Department’s guidelines, reflect the growing importance of cyber security in the business world, particularly given the increased regularity of high-profile and debilitating cyber attacks. They also highlight the delicate balance needed between maintaining stock market transparency and ensuring national security is not compromised.
These changes come as part of larger efforts to improve cyber security measures, with both the private and public sectors seeking to strengthen their capabilities and counter the growing threat of cybercrime.