# Opener

FBI Partakes in SEC Cyber Compliance

Published by Joe Breen

Navigating the process of requesting delays amid the SEC’s new requirements

We are now less than a week out from the SEC’s new rules going into effect, and public companies have no choice but to be prepared. We know from the SEC’s original statement that companies have 4 days after a material determination to publicly disclose their findings. There was some backlash around this timeline, so the SEC came up with a bit of a compromise. Companies who believe that filing poses a risk to national security or public safety can request a delay. In connection with this exception, the FBI released a public notice with their guidance on how companies can request this delay. Requests can be made by companies or government agencies that might be involved, but whoever is requesting must go through the FBI. The FBI will do their research and confirm the request is legitimate, which will then prompt a referral to the DOJ/Attorney General to make the final decision.

So, let’s get into what it is that the FBI needs companies to provide. You can access the full report, guidance, and other information from the FBI here, but I’d like to just break down the basics in this blog. The guidance from the FBI has 10 pieces of information that need to be provided:

  1. Company name
  2. Date of the incident
  3. Time at which a material determination was made (missing this will result in your request being tossed)
  4. Information about current contact with the FBI
  5. A detailed description of the incident
  6. Possible suspects
  7. Incident remediation status
  8. Location of the incident
  9. Company point of contact
  10. Information regarding previous requests for delay

Now, let’s think about it – How likely is it that a company releasing a materiality determination will be a risk to national security or public safety? Not likely at all. But, in the case that it does pose a threat, the stakes are high and the FBI wants the information fast. This notice is another thing being thrown on the to-do list for the security teams of public companies. They need to hit the drawing board and begin defining a process for how they will go about requesting these delays because in the midst of an event, they will not have the capacity to scramble and get this filed in time.

How are security teams managing the compliance around these new regulations while also navigating an increasingly complex threat landscape? By the skin of their teeth. Axio is currently working on a list of offerings that will allow companies to assess their readiness, and then build a roadmap to address any areas they may be falling short. Stay tuned to hear more, or check out our page dedicated to compliance with the SEC’s new rules.

For more information on how to navigate the SEC cyber rules, we invite you to listen to our roundtable presentation on the topic. You can register below.

Webinar Pragmatic Cyber Risk Management in the Post-SEC Environment