New SEC Cybersecurity Rule a ‘Business Problem,’ Not Just IT or Legal, According to Experts

New cybersecurity rules adopted by the Securities and Exchange Commission last month will require investments in additional training and resources, according to compliance experts who have studied the rule.

Under the new rules, public companies need to disclose significant cybersecurity events within four business days of their discovery and maintain policies and procedures to ensure compliance. The first step for businesses to meet these regulations will be determining if a digital risk is “significant” or not, according to Richard Cooper, the global head of financial services at Fusion Risk Management. To do that, he says, firms must first understand what their business is and what security breaches would be a concern.

“This isn’t an IT problem; it’s a business problem,” he explains.

Different firms have different priorities, and a regulator such as the SEC does not have insight into the nuances of every business, Cooper notes. The word “significant” is ambiguous, but “it’s ambiguous for your own good,” because the alternative would be the SEC deciding how to run and protect individual businesses.

Cooper gives the example of a bank’s access to cash, loans or key information on their clients and the market being breached or compromised as a “significant event.” But leaks of internal training material, preliminary data or publicly available information probably would not be considered “significant.”

Cooper adds that, for all relevant companies, employee training will be essential. If one department is compromised, then the entire firm only has four days to report it. This means employees will need to be able to recognize an event and know how to report it and to whom. Cooper asks, “Are you confident they will tell you quickly enough?” Companies should therefore focus training efforts on all departments rather than just the IT and legal divisions, he says.

If there is a significant digital event, a firm can request two 30-day extensions, followed by a final 60-day extension, by appealing to the U.S. Attorney General’s office to determine that disclosing the event would compromise national security or public safety, according to the rule.

Helen Christakos, a partner in Allen & Overy LLP, says, “It’s going to be a challenge to get in touch with the AG in that short a window.” She adds that, “there will be something of an art to writing these disclosures” to ensure compliance with the SEC’s rule while not complicating investigations taking place at the state or local level, since those officials do not have the authority to request a postponement of the disclosure.

Speaking of state law enforcement, Christakos recommends that companies “make sure everyone is in the loop and comfortable with what is disclosed,” but that, ultimately, a firm must still comply with the SEC rule.

There is no additional postponement for a significant cybersecurity event after 120 days, according to the rule.

Michael Borgia, a partner in Davis Wright Tremaine LLP, quips that, “after 120 days, it no longer matters what the AG thinks about national security; you have to disclose it.”