nISC2 has previously revealed concerns related to thennSEC Incident Disclosure Rulesnnand the uncertainty surrounding definitions of terms and vague processes.nThe FBI issued annpolicy noticennon December 6, 2023 detailing the process for requesting a delay. OnnDecember 12, 2023, the DOJ releasednndepartmental guidelinesnnoutlining the process for requesting a delay of cyber incident disclosures.n
nnTo request a delay in disclosing an incident, businesses can contact the FBIndirectly atncyber_sec_disclosure_delay_referrals@fbi.gov. nThere is specific information that must be included in the delay request.nThat can be found on thennFBI’s websiten.
nnAccording to the DOJ,nnexamplesnnof incidents that might be allowed to delay reporting include:n
n- n
- n A cybersecurity incident that involved a technique without a well-knownn mitigation – for example, a software vulnerability with no patch yetn available – that could pose a public safety or national security risk.n n
- n Disclosure of the incident could reveal confidential information orn sources or put critical infrastructure or public safety at risk.n n
- n An attack against a company holding sensitive government information asn announcing the attack could lead to additional attacks orn vulnerabilities.n n
nWhy This Mattersn
nnThe SEC final rule, issued in July requires all publicly traded companies tonreport material cyber incidents within four days. These requirements wentninto effect on December 18. Smaller companies are allotted a 180-daynextension before they must begin submitting incident reports.n
nnThe FBI and the DOJ note that exceptions are likely to be granted in limitedncircumstances and that notifying the FBI quickly will be a determiningnfactor when considering exceptions.n
nnResources for ISC2 Membersn
nnThe ISC2nnSkill Builders on GRCnnprovide opportunities to learn and develop additional competencies, makingncompliance and comprehension of regulation changes easier. This educationalnasset is free for ISC2 members and $19 for non-members.n
nnISC2’snnCertified in Governance, Risk and Compliance (CGRC)nncertification offers a long-term path for skills development and competencynin the risk management process aspects of the SEC rules.n
nnSubject matter experts discussnnYour Window into Governance, Risk & Compliancennduring a 60-minute panel discussion at ISC2 Security Congress 2023.n
nnISC2 previously hosted a webinar onnnBoard Level Reporting Metrics – Getting the Conversation Rightnnthat focused on risk profiles and the metrics used to communicate with thenBoard of Directors to articulate risk.n
nnA recent webinar onnnBoard Level Reporting Metrics – Getting the Conversation Rightnndiscussed risk profiles and the metrics used to communicate with the Boardnof Directors to articulate risk.n
nnISC2 hosts regular panel discussions on trending security topics featuringnthought leaders and visionaries from the industry who answer questions fromnthe audience.nnSetting up an accountnnis easy and you can be notified when ISC2 has an upcoming topics.n
nnA joint resolution was introduced in Congress in November that wouldnoverturn the SEC rules if passed. Read more on ISC2 InsightsnnResolution to Overturn SEC Cyber Disclosure Rule Introduced.n
nnMore insightful content is coming soon to help you prepare for future policynand regulations. Stay tuned to ISC2 nInsights, Community,nnPress Centernnand Social Media fornmore information when it becomes available.n
]]>