The Department of Justice (DOJ) has released new guidelines detailing how companies can request a delay to disclosure of significant cyber incidents, as mandated by the Securities and Exchange Commission (SEC). To qualify for a delay, a company must demonstrate that immediate disclosure would pose a risk to national security or public safety. The SEC implemented rules in July that require public companies to disclose material cybersecurity incidents annually.
- DOJ’s guidelines provide a roadmap for companies seeking to delay the disclosure of major cybersecurity incidents due to national security or public safety concerns.
- The guidelines require companies to immediately contact the FBI in such circumstances, in line with the bureau’s reporting instructions.
- The document also includes procedures for U.S. government agencies if an exception to the general disclosure requirement is sought.
- The SEC has issued rules requiring public companies to annually report material information about their cybersecurity strategy, risk management, and governance.
The guidelines provide instructions for both private sector organizations and government agencies, underlining the importance of swift and accurate reporting in maintaining national security and protecting the public. The rules laid down by the SEC aim to increase transparency in how companies respond to cybersecurity incidents and manage related risks.
This move is part of a broader trend towards increased scrutiny of cybersecurity practices across the private sector, particularly for public companies whose operations could impact national security. The guidelines provide a clear pathway for companies to navigate if their regular reporting obligations clash with wider security or public safety considerations.
The role of the FBI in these decision-making processes emphasizes the central role the federal agency performs in safeguarding the United States’ cyber infrastructure. Immediate contact with the FBI is a critical component of the guidelines, ensuring that federal authorities are promptly informed about potential threats.
Overall, the DOJ’s guidelines represent an important development in the balancing act between transparency in corporate cybersecurity and the protection of national security and public safety. This will likely catalyze further conversations about the intersection between business, technology, and public policy in the digital age.