Companies still figuring out how to comply with SEC cyber rules

0628FP.SEC

Some public companies are still trying to figure out how to comply with new rules from the Securities and Exchange Commission requiring speedy disclosure of significant cyberattacks.

Those rules, which took effect on Monday, require companies to report cyber incidents within four business days of deciding they are "material" to shareholders. The SEC previously required firms to disclose major events that would be of shareholder interest, but didn't specify cyber events.

Making that decision isn't so easy, said Erez Liebermann, partner at the Debevoise & Plimpton law firm.

In the past three months, Liebermann has advised more than 50 publicly listed companies on how to prepare for the new SEC rule, and participated in tabletop exercises with executives to help understand whether their new processes will stand up under the pressure of a major hack. Describing or quantifying what make makes an incident material to investors in the midst of responding to it is "super difficult," Liebermann said.

U.S. officials, who requested anonymity to speak freely on the topic, said the new rules will boost visibility into cyberattacks, which are widely underreported. However the SEC rules have received pushback, with the U.S. Chamber of Commerce and two of five SEC Commissioners opposing.

Under the new rules, public companies have to report on the effects of a material hack, including what data were publicly disclosed and the processes the company took to mitigate risk. They also must disclose how they manage cybersecurity risks in annual reports.

READ MORE: 5 highlights from the year in enforcement

A senior official at the Cybersecurity and Infrastructure Security Agency told reporters that requiring more information would ultimately deliver a net benefit, saying ubiquitous underreporting has an adverse effect on the U.S. government's ability to combat hacking.

The requirements take hold after a few years in which cyberattacks temporarily disrupted crucial sectors of the economy, including meat production, shipping and Treasury trades. Often, hackers demand money from the victims to unlock computer systems that are encrypted with ransomware or demand an extortion payment not to release stolen company documents.

Some executives have suggested that complying with the new rules could also harry security officers at a time they are responding to big hacks in real time.

READ MORE: LPL buys 20% stake in Independent Advisor Alliance branch

George Gerchow, chief security officer at Sumo Logic, said he believes the newly required disclosures could even incentivize hackers to immediately target a company that revealed it was in the midst of fighting a cyberattack.

"It's just exhausting," he said of his experience of a recent hack at his company.

Merritt Baer, the field chief information security officer at the cyber firm Lacework, said that although companies have had months to prepare for the new rule, meeting the deadlines would still be "painful" and create anxiety for CISOs, who could be held accountable for their actions. Companies also are likely start taking cybersecurity much more seriously, she said.

An exemption to the rule allows the Attorney General to delay a company's disclosure by up to 120 days on account of national security or public safety. Senior Justice Department and FBI officials told reporters that companies that think they may be eligible should apply as soon as they decide the incident is material or even before. The exemption will apply only rarely, officials said.

Bloomberg News
Regulation and compliance Regulatory reform SEC
MORE FROM FINANCIAL PLANNING