National security tops DOJ’s reasons for delayed cyber attack announcements.

December 13, 2023
1 min read

The Department of Justice has outlined conditions under which firms can delay the reporting of cyber attacks following recent requirements set out by the Securities and Exchange Commission (SEC). As part of securities laws, American business entities are obliged to report any cyber attack incidents that could potentially have a significant impact on their business operations and financial condition to the SEC. However, there are exceptions to this rule:

  • Firms are not required to disclose the incident if the Attorney General has determined that such a disclosure could compromise public safety or national security.
  • If a company requests a delay in reporting a cyber attack, the Federal Bureau of Investigation (FBI) will review the request within four business days. A senior Justice Department official will subsequently decide whether to approve the delay.

According to senior officials, there are certain scenarios where a business might be permitted to delay cyber attack reports. These could include cases where the cyber attack technique used does not have a known solution, such as a software vulnerability without a patch available. Furthermore, if the attacked company holds sensitive government information, or works on critical infrastructure, and public disclosure may potentially lead to other attacks or hinder efforts to deal with the issue, then the firm may be allowed to delay reporting.

The initial delay for reporting a cyber attack is set at 30 days, but this can potentially be extended to 120 days if the Attorney General determines that disclosure could significantly threaten national security. However, senior Justice Department officials have stated that they expect requests for reporting delays to be rare, given the stringent criteria needed to qualify.

The new SEC rule, and ensuing Justice Department’s guidelines, reflect the growing importance of cyber security in the business world, particularly given the increased regularity of high-profile and debilitating cyber attacks. They also highlight the delicate balance needed between maintaining stock market transparency and ensuring national security is not compromised.

These changes come as part of larger efforts to improve cyber security measures, with both the private and public sectors seeking to strengthen their capabilities and counter the growing threat of cybercrime.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.