Up next in 10
Explore the SEC’s groundbreaking rule on mandatory cybersecurity breach disclosures for publicly traded companies and the implications for national security. Learn how quick collaboration with the FBI can impact your response strategy during a breach situation. #CyberSecurity #SECRules #PublicSafety #NationalSecurity #DataBreach #FBI #CorporateGovernance #DisclosureRequirements #CyberThreats #MaterialBreach
Show More Show Less View Video Transcript
0:00
uh late last year the SEC Securities
0:02
Exchange Commission adopted a rule for
0:05
uh uh material disclosure of material
0:06
cyber security events uh for for
0:09
publicly traded companies um I believe
0:11
the notification Windows within four
0:13
days of uh of identifying M material
0:15
cyber breach um there is a national
0:18
security waiver for that disclosure rule
0:22
um in the event that the government
0:23
determines there there could be some uh
0:25
National Security uh related uh impacts
0:27
or or considerations
0:30
H I'm just curious how has that sort of
0:31
played out in practice for you yeah so
0:34
folks here mostly may be aware so as you
0:36
said Dustin the SEC adopted a rule in
0:38
December that requires public disclosure
0:41
uh or disclosure to the SEC and
0:43
therefore to the market for publicly
0:45
traded companies of a material cyber
0:47
breach um and there have been dozens of
0:51
those disclosures the rule also though
0:53
includes a waiver or the capacity to
0:56
delay disclosure if such a disclosure
0:59
would uh impose substantial risks on
1:02
National Security or Public Safety uh it
1:04
makes sense right we there there are
1:06
occasions where simply disclosing it
1:08
might actually reveal a vulnerability
1:11
that hasn't been fully remediated say a
1:12
zero day type attack right so we want to
1:14
be in a position to delay disclosure to
1:17
take steps to remediate the the risk um
1:21
and and I can say here that in fact um
1:25
we have on a number of occasions delayed
1:27
disclosure uh and um it's a it's an
1:30
authority that's exercised by the
1:32
Attorney General but that Authority has
1:33
been delegated to me and and where again
1:37
there has been a substantial risk to
1:39
National Security uh on a number of
1:41
occasions we have delayed disclosure in
1:44
order to take the steps necessary to
1:46
protect National Security it is the case
1:48
as you said that it's a very compressed
1:50
timeline so um the companies are
1:53
required to make that disclosure within
1:54
4 days of identifying a material breach
1:57
so one of the key points is you know if
1:59
a company
2:00
uh identifies as a breach you know I
2:03
again my strong uh encouragement would
2:05
be to work very quickly and closely with
2:08
the FBI even before you've made that
2:10
materiality decision because once you
2:12
determine that there's a material breach
2:14
four days is not a long time then to get
2:16
you know to make the judgments about
2:18
whether to seek a delay in disclosure uh
2:21
but it's a it's a it's an important part
2:23
of the rule it can be extended from 30
2:25
days up to 120 days so um it's not
2:28
unbounded but it does give the the
2:31
government with the private sector the
2:33
opportunity to take the necessary steps
2:35
that we think we need to take to to
2:36
protect either Public Safety or national
2:38
security and then you're the one making
2:40
that determination for the government
2:42
yeah it could be me or someone the
2:44
Attorney General the deputy attorney
2:45
general it and and and but it's been
2:47
delegated to me um and you know the
2:49
reason is because uh I'm you know in the
2:52
National Security Division and we have a
2:54
a group of prosecutors and and expert
2:56
and we work closely with the FBI's cyber
2:58
team we're in a strong position to be
3:01
able to make that judgment about the
3:02
impact uh of disclosure on National
3:04
Security you spend all day in a skiff so
3:06
they say make the guy in the ski figure
3:08
this out yeah exactly I spent all day in
3:09
a SK without my cell phone without so
3:12
yeah can you say you said a number of
3:14
just I think this is the first time that
3:15
you've you've said this publicly can you
3:17
say how many delays uh of disclosure
3:20
there have been I can't say how many and
3:21
I can't say anything more in terms of
3:23
the companies and or or details but um
3:26
but it has happened uh on a number of
3:28
occasions you wouldn't be able to say if
3:30
these have been China related attacks
3:32
Russia related attacks or anything about
3:34
that correct no more
3:37
no I wouldn't be able to say no more
#Computers & Electronics