Complying With SEC Cyber Rules Remains 'Super Difficult'

News December 18, 2023 at 01:28 PM
Share & Print

Some public companies are still trying to figure out how to comply with new rules from the U.S. Securities and Exchange Commission requiring speedy disclosure of significant cyberattacks.

Those rules, which kicked in Monday, require companies to report cyber incidents within four business days of determining they are "material" to shareholders. The SEC previously required firms to disclose major events that would be of shareholder interest, but didn't specify cyber events.

Making that determination isn't so easy, said Erez Liebermann, partner at Debevoise & Plimpton law firm.

In the past three months, Liebermann has advised more than 50 publicly listed companies on how to prepare for the new SEC rule, and participated in tabletop exercises with executives to help understand whether their new processes will stand up under the pressure of a major hack.

Describing or quantifying what make makes an incident material to investors in the midst of responding to it is "super difficult," Liebermann said.

U.S. officials, who requested anonymity to speak freely on the topic, said the new rules will boost visibility into cyberattacks, which are widely underreported. However the SEC rules have received pushback, with the U.S. Chamber of Commerce and two of five SEC Commissioners opposing.

What's in the New Rules

Under the new rules, public companies have to report on the impact of a material hack, including what data was publicly disclosed and the processes the company took to mitigate risk. They also must disclose how they manage cybersecurity risks in annual reports.

A senior official at the Cybersecurity and Infrastructure Security Agency told reporters that requiring more information would ultimately deliver a net benefit, saying ubiquitous underreporting has an adverse impact on the U.S. government's ability to help address hacking.

The requirements take hold after a few years in which cyberattacks temporarily disrupted crucial sectors of the economy, including meat production, shipping and Treasury trades. Often, hackers demand money from the victims to unlock computer systems that are encrypted with ransomware or demand an extortion payment not to release stolen company documents.

Some executives have suggested that complying with the new rules could also harry security officers at a time they are responding to big hacks in real time.

George Gerchow, chief security officer at Sumo Logic Inc., said he believes the newly required disclosures could even incentivize hackers to immediately target a company that revealed it was in the midst of fighting a cyberattack.

"It's just exhausting," he said of his experience of a recent hack at his company.

Merritt Baer, field chief information security officer at the cyber firm Lacework, said that although companies have had months to prepare for the new rule, meeting the deadlines would still be "painful" and create anxiety for CISOs, who could be held accountable for their actions. Companies also are likely start taking cybersecurity much more seriously, she said.

An exemption to the rule allows the Attorney General to delay a company's disclosure by up to 120 days on account of national security or public safety.

Senior Justice Department and FBI officials told reporters that companies that think they may be eligible should apply as soon as they decide the incident is material or even before. The exemption will apply only rarely, officials said.

(Image: Adobe Stock)

Copyright 2023 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Related Stories

Resource Center