New SEC cybersecurity rules: Why your legal department is worried

Cybersecurity compliance, already an anxiety-inducing topic, is about to get even trickier.

The U.S. Securities and Exchange Commission recently rolled out a host of proposed new cybersecurity rules for public companies, including a requirement to disclose material cybersecurity incidents within four days.

The rules also mandate that companies disclose their cybersecurity risk-assessment strategy, disclose the cybersecurity expertise of management and board members, and provide updates on previously disclosed cybersecurity events.

“A lot of issuers already provide cybersecurity disclosure to investors,” SEC Chairman Gary Gensler said in a statement. “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

Cybersecurity already is very much on the radar of legal department chiefs. The 2022 edition of the annual Association of Corporate Counsel survey, released last month, found that—for the second consecutive year—it was the top concern of the chief legal officers surveyed.

A January study by KPMG found that senior risk executives in the Americas reported record losses from fraud, compliance breaches and cyberattacks over the last year and expect threats to grow in 2022.

“Collectively, these issues create a ‘threat loop’ which can quickly overwhelm companies with economic loss, regulatory loss and reputational loss,” Amanda Rigby, KPMG’s forensic service network leader in the United States, said in the report.

Complying with the new SEC rules might be challenging for companies at times, especially the four-day disclosure requirement, lawyers from Sidley Austin wrote in a note to clients. They noted that cybersecurity incidents are common these days, even when companies have implemented reasonable information-security programs and defenses.

The breaches range from trivial to material, the client note said, “depending on the specific facts of the particular incident. The proposed rules do not provide substantially greater clarity from prior guidance for when an incident crosses the materiality threshold. That determination remains a complex analysis of several factors.”

Meeting the four-day reporting deadline would keep cybersecurity-services vendors that work with public companies “on their toes,” wrote D. Howard Kass, a writer for MSSP Alert, which tracks the managed security services industry.

Further, that tight time frame might lead to tension between the SEC and other parts of government, including the cyber and intelligence arms of the Department of Justice, Baker Botts lawyers wrote in a note to clients.

For example, the law firm wrote, “particularly in an age of nation-state sponsored cyberattacks, the prompt [disclosure] could provide a malicious actor with valuable, timely intelligence on the effectiveness of its cyberattack efforts.”

SEC Commissioner Hester Peirce dissented from the proposal, saying it goes too far. She said it “flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”

She questioned whether “securities regulators are … best suited to design cybersecurity programs to be effective for all companies, in all industries, across time.”

The SEC soon will open a 60-day window for companies and other interested parties to submit feedback on the proposal.

Greg Andrews is an editor/reporter for BenefitsPRO’s parent company ALM Media’s In-House desk. He previously was editor of Indianapolis Business Journal and business editor of The Indianapolis Star. Contact him at gandrews@alm.com. On Twitter: @Greg_Andr