ISC2 has previously revealed concerns related to the SEC Incident Disclosure Rules and the uncertainty surrounding definitions of terms and vague processes. The FBI issued a policy notice on December 6, 2023 detailing the process for requesting a delay. On December 12, 2023, the DOJ released departmental guidelines outlining the process for requesting a delay of cyber incident disclosures.

To request a delay in disclosing an incident, businesses can contact the FBI directly at cyber_sec_disclosure_delay_referrals@fbi.gov. There is specific information that must be included in the delay request. That can be found on the FBI’s website .

According to the DOJ, examples of incidents that might be allowed to delay reporting include:

  • A cybersecurity incident that involved a technique without a well-known mitigation – for example, a software vulnerability with no patch yet available – that could pose a public safety or national security risk.
  • Disclosure of the incident could reveal confidential information or sources or put critical infrastructure or public safety at risk.
  • An attack against a company holding sensitive government information as announcing the attack could lead to additional attacks or vulnerabilities.

Why This Matters

The SEC final rule, issued in July requires all publicly traded companies to report material cyber incidents within four days. These requirements went into effect on December 18. Smaller companies are allotted a 180-day extension before they must begin submitting incident reports.

The FBI and the DOJ note that exceptions are likely to be granted in limited circumstances and that notifying the FBI quickly will be a determining factor when considering exceptions.

Resources for ISC2 Members

The ISC2 Skill Builders on GRC provide opportunities to learn and develop additional competencies, making compliance and comprehension of regulation changes easier. This educational asset is free for ISC2 members and $19 for non-members.

ISC2's Certified in Governance, Risk and Compliance (CGRC) certification offers a long-term path for skills development and competency in the risk management process aspects of the SEC rules.

Subject matter experts discuss Your Window into Governance, Risk & Compliance during a 60-minute panel discussion at ISC2 Security Congress 2023.

ISC2 previously hosted a webinar on Board Level Reporting Metrics – Getting the Conversation Right that focused on risk profiles and the metrics used to communicate with the Board of Directors to articulate risk.

A recent webinar on Board Level Reporting Metrics – Getting the Conversation Right discussed risk profiles and the metrics used to communicate with the Board of Directors to articulate risk.

ISC2 hosts regular panel discussions on trending security topics featuring thought leaders and visionaries from the industry who answer questions from the audience. Setting up an account is easy and you can be notified when ISC2 has an upcoming topics.

A joint resolution was introduced in Congress in November that would overturn the SEC rules if passed. Read more on ISC2 Insights Resolution to Overturn SEC Cyber Disclosure Rule Introduced.

More insightful content is coming soon to help you prepare for future policy and regulations. Stay tuned to ISC2 Insights, Community, Press Center and Social Media for more information when it becomes available.