Complying With SEC Cyber Rules Remains 'Super Difficult'

Some public companies are still trying to figure out how to comply with new rules from the U.S. Securities and Exchange Commission requiring speedy disclosure of significant cyberattacks.

Those rules, which kicked in Monday, require companies to report cyber incidents within four business days of determining they are “material” to shareholders. The SEC previously required firms to disclose major events that would be of shareholder interest, but didn’t specify cyber events.

Making that determination isn’t so easy, said Erez Liebermann, partner at Debevoise & Plimpton law firm.

In the past three months, Liebermann has advised more than 50 publicly listed companies on how to prepare for the new SEC rule, and participated in tabletop exercises with executives to help understand whether their new processes will stand up under the pressure of a major hack.

Describing or quantifying what make makes an incident material to investors in the midst of responding to it is “super difficult,” Liebermann said.

U.S. officials, who requested anonymity to speak freely on the topic, said the new rules will boost visibility into cyberattacks, which are widely underreported. However the SEC rules have received pushback, with the U.S. Chamber of Commerce and two of five SEC Commissioners opposing.

What’s in the New Rules

Under the new rules, public companies have to report on the impact of a material hack, including what data was publicly disclosed and the processes the company took to mitigate risk. They also must disclose how they manage cybersecurity risks in annual reports.

A senior official at the Cybersecurity and Infrastructure Security Agency told reporters that requiring more information would ultimately deliver a net benefit, saying ubiquitous underreporting has an adverse impact on the U.S. government’s ability to help address hacking.