The U.S. Securities and Exchange Commission rules take effect on December 18, requiring companies to make prompt disclosure of material cyberattacks and annual reports about cyber risks and vulnerabilities.
In an article for Corporate Counsel, data, privacy & cybersecurity co-head Ed McNicholas said the rules could push companies to over disclose or include inaccurate information about a breach, all in the interest of being proactive to avoid stiff penalties.
“I think the SEC’s efforts are well-intentioned in trying to get more information out to investors, but the SEC lacks the experience with cybersecurity events in large companies to do this effectively at this point,” Ed said.
“Complicated data breaches often have significant dwell time when attackers are in the network moving around and conducting reconnaissance and then start to do small exploitations while remaining extremely stealthy,” Ed added. “In this kind of spy-versus-spy environment it’s very difficult to say at what point you have a material issue.”
“I look at it as pieces in a mosaic. At some point, the whole mosaic might be material, but it’s going to be very complicated for a company to assess, if they have five pieces of this mosaic, whether it is material now,” said Ed.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.