On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats.  Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.”

Of particular note, Wray emphasized the need for cooperation among authorities and the private sector to mitigate emerging cyber threats.  To foster this cooperation, he explained that the FBI “treat[s] companies as victims” when they report a cyber attack.  For the FBI and its public partners, Wray said that it is most important that a company calls the authorities “as promptly as possible” when there are indications of unauthorized access to, or malware on, critical IT systems, or when there is significant loss of data, systems, or systems control, particularly when an attack implicates national security, economic security, or public health and safety.

Director Wray drew attention to the potentially disparate approaches taken by different authorities towards corporate victims of cyber attacks.  Wray said that the FBI will do “everything [it] can to help” a company that reports a cyber attack, and indicated that the FBI’s Cyber Crime division will share information among federal authorities when necessary to help the company.  In contrast, certain other federal and state authorities have taken on a more adversarial role with respect to reporting companies.  It was later reported that Wray, after delivering his prepared remarks, criticized the “less-enlightened enforcement agencies” that have adopted such a posture.[1]  Wray explained that the FBI did not “view it as [its] responsibility” to share information provided to it by corporate victims “with some of those other agencies.”[2]

Director Wray’s remarks underscore the FBI’s position that corporations that suffer cyber attacks will be treated as victims by the agency, and therefore, the FBI will not ordinarily provide information self-disclosed by such companies to other federal and state civil regulators.  Although there are many potential considerations to take into account when deciding whether to self-report a cyber attack to the FBI, the Director’s strong public statements suggest that the FBI will be sensitive to those concerns if companies choose to cooperate with the law enforcement agency.

The full text of Wray’s prepared remarks can be found here.

[1] Nate Raymond, FBI chief:  Corporate hack victims can trust we won’t share info, Reuters (Mar. 7, 2018), https://www.reuters.com/article/us-usa-fbi-wray/fbi-chief-corporate-hack-victims-can-trust-we-wont-share-info-idUSKCN1GJ2QS.

[2] Id.