Businesses seeking additional time before disclosing to the Securities and Exchange Commission (SEC) the occurrence of a material cybersecurity incident must be prepared to provide detailed information on the matter to the Federal Bureau of Investigation (FBI).

The FBI released guidance for requesting a delay to the new SEC rule’s requirement that the nature, scope, timing, and impact of cybersecurity incidents be reported within four business days on discovery of materiality. The rule, adopted in July, is set to take effect this month.

Disclosure delays may be granted in cases where the U.S. attorney general determines there are national safety risks, the SEC noted. The FBI’s guidance helps establish the process for earning such a determination.

First, the FBI emphasized delay requests “won’t be processed unless they are made immediately upon a company’s determination of materiality.”

Requests must be submitted to either the FBI (through a dedicated email that will soon be established), Secret Service, the Cybersecurity and Infrastructure Security Agency, the Department of Defense, or another sector risk management agency.

Requests must include basic company background information, like name and incident location, along with:

  • When the cybersecurity incident occurred and when materiality was determined;
  • A detailed description of the incident (e.g., type of incident, known or suspected intrusion vectors, data affected, and operational impact);
  • Current status of remediation efforts; and
  • Relevant company points of contact.

The FBI said engagement with the agency does not automatically make an incident material. It further recommended publicly traded companies establish a relationship with the cyber squad at their local FBI field office.