Some public companies are still trying to figure out how to comply with new rules from the US Securities and Exchange Commission requiring speedy disclosure of significant cyberattacks.
Those rules, which kicked in Monday, require companies to report cyber incidents within four business days of determiningthey are “material” to shareholders. The SEC previously required firms to disclose major events that would be of shareholder interest, but didn’t specify cyber events.
Making that determination isn’t so easy, said Erez Liebermann, partner at Debevoise & Plimpton law firm.
In the past three months, Liebermann has advised more than 50 publicly listed companies on how to prepare for the new SEC rule, and participated in tabletop exercises with executives to help understand whether their new processes will stand up under the pressure of a major hack. Describing or quantifying what make makes an incident material to investors in the midst of responding to it is “super difficult,” Liebermann said.
US officials, who requested anonymity to speak freely on the topic, said the new rules will boost visibility into cyberattacks, which are widely underreported. However the SEC rules have received pushback, with the US Chamber of Commerce and two of five SEC Commissioners opposing.
Under the new rules, public companies have to report on the impact of a material hack, including what data was publicly disclosed and the processes the company took to mitigate risk. They also must disclose how they manage cybersecurity risks in annual reports.
A senior official at the Cybersecurity and Infrastructure Security Agency told reporters that requiring more information would ultimately deliver a net benefit, saying ubiquitous underreporting has an adverse impact on the US government’s ability to help address hacking.
The requirements take hold after a few years in which cyberattacks temporarily disrupted crucial sectors of the economy, including meat production, shipping and Treasury trades. Often, hackers demand money from the victims to unlock computer systems that are encrypted with ransomware or demand an extortion payment not to release stolen company documents.
Some executives have suggested that complying with the new rules could also harry security officers at a time they are responding to big hacks in real time.
George Gerchow, chief security officer at Sumo Logic Inc., said he believes the newly required disclosures could even incentivize hackers to immediately target a company that revealed it was in the midst of fighting a cyberattack.
“It’s just exhausting,” he said of his experience of arecent hack at his company.
Merritt Baer, field chief information security officer at the cyber firm Lacework, said that although companies have had months to prepare for the new rule, meeting the deadlines would still be “painful” and create anxiety for CISOs, who could be held accountable for their actions. Companies also are likely start taking cybersecurity much more seriously, she said.
An exemption to the rule allows the Attorney General to delay a company’s disclosure by up to 120 days on account of national security or public safety. Senior Justice Department and FBI officials told reporters thatcompanies that think they may be eligible should apply as soon as they decide the incident is material or even before. The exemption will apply only rarely, officials said.
Photo: Photographer: Andrew Harrer/Bloomberg
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
AIG General Insurance Chairman McElroy to Retire May 1 
Aon Completes $13B Acquisition of Middle-Market Broker NFP 
Trump’s Bond Insurer Tells Judge Shortfall Is ‘Inconceivable’ 
Chubb to Acquire MGA Healthy Paws From Aon 
