Cybersecurity Rule Could Prompt Firms to 'Cry Wolf': SEC Roundup

By Nick Morgan

By Tom Zaccaro

Video
January 09, 2024 at 01:14 PM
Share

Welcome to SEC Roundup, a bimonthly video series by former Securities and Exchange Commission senior trial counsels Nick Morgan and Tom Zaccaro, founders of the nonprofit advocacy group Investor Choice Advocates Network.

Listen in as former federal cybercrime prosecutor, Joe Sullivan, describes the possible unintended negative consequences of the SEC's newly effective cyberattack disclosure rule.

The SEC cybersecurity incident disclosure rules that went into effect in December require public companies to report "material" cybersecurity incidents within four business days of determining the incident's materiality.

As the former chief security officer of Facebook and Uber who experienced his own travails dealing with cyberattacks, Sullivan is concerned that the SEC's rule may result in premature or inadvertently inaccurate disclosures because of the inherent conflict between the chief information security officer's proper impulse to "pull every fire alarm" at the first hint of a hack and the rapidly evolving, forensically challenging nature of cyber breaches.

Contrary to the SEC's purpose in promulgating the rule, many of the resulting disclosures may look more like crying wolf and shouting fire in a crowded theater — without much benefit to investors.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.