Can Public Disclosures of Cybersecurity Incidents Be Delayed?

The U.S. Securities and Exchange Commission (SEC) adopted new rules in July 2023 that give publicly traded companies four days to disclose the occurrence of a “material” cyber event via regulatory filing. The rules took effect on December 18, 2023. Learn more about them here.

In light of the SEC’s new cyber incident reporting rules, federal officials have offered guidance on when it may approve delays in the interest of national security. The U.S. Department of Justice (DOJ) and the FBI gave examples of scenarios that may warrant delay.

Limited Circumstances Warranting Reporting Delays

“The primary inquiry for the Department is whether the public disclosure of a cybersecurity incident threatens public safety or national security, not whether the incident itself poses a substantial risk to public safety and national security,” stated the DOJ. “While cybersecurity incidents themselves frequently threaten public safety and national security, the disclosure to the public that those incidents have occurred poses threats less often.”

These “limited circumstances” would apply to cases where a company “reasonably” suspects the event occurred because of a tactic with no known mitigation—for example, an as-yet-unpatched software vulnerability. Another example given included impacts to events impacting systems containing sensitive government information.

“This category includes systems operated or maintained for the government as well as systems not specifically operated or maintained for the government that contains information the government would view as sensitive, such as that regarding national defense or research and development performed pursuant to government contracts,” said the DOJ. It also highlighted events involving public companies performing remediation efforts for critical infrastructure or critical systems. The FBI “strongly” encouraged companies to quickly contact federal officials as soon as they determine an event could threaten national security or public safety.

Cybersecurity Preparedness: How Hylant Can Help

All businesses are potential targets for cyberattacks. Hylant works with organizations to help their leadership teams, boards of directors, IT departments and risk managers understand, prepare for and address their cyber risks.

We provide risk profiling, exposure quantification, risk readiness and incident response planning services and tools, and insurance procurement and negotiation. Working together with our clients, we minimize the potential financial and reputational impacts of cyber events on the organization. To learn more, contact us.

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.