SEC Cybersecurity Rules Go Live in Days. Companies Still Aren’t Sure What to Expect | Law.com

Much of the consternation around the cyberattack disclosure rules centers around materiality. While the SEC expects companies to report incidents they deem to have been material within four days of making that determination, critics of the rule say the SEC hasn’t shed much light on what it considers to be material.

Incidents that initially set off alarm bells often turn out to be minor, or far more limited than previously thought, said Ilia Kolochenko, CEO of Swiss-based security company ImmuniWeb. “The problem is you cannot unring the bell,” he said. “We’ve observed several quite awkward and very harmful cases—financially speaking—when companies overdisclosed then made corrections saying, ‘Oh, actually it wasn’t that bad.’”

Ed McNicholas, co-leader of Ropes & Gray’s data, privacy and cybersecurity practice who represents the former CEO of SolarWinds, said the rules could push companies to overdisclose or include inaccurate information about a breach, all in the interest of being proactive to avoid stiff penalties.

“I think the SEC’s efforts are well-intentioned in trying to get more information out to investors, but the SEC lacks the experience with cybersecurity events in large companies to do this effectively at this point,” he said.

Source: SEC Cybersecurity Rules Go Live in Days. Companies Still Aren’t Sure What to Expect | Law.com