Cybersecurity Rule Could Prompt Firms to 'Cry Wolf': SEC Roundup

Welcome to SEC Roundup, a bimonthly video series by former Securities and Exchange Commission senior trial counsels Nick Morgan and Tom Zaccaro, founders of the nonprofit advocacy group Investor Choice Advocates Network.

Listen in as former federal cybercrime prosecutor, Joe Sullivan, describes the possible unintended negative consequences of the SEC’s newly effective cyberattack disclosure rule.

The SEC cybersecurity incident disclosure rules that went into effect in December require public companies to report “material” cybersecurity incidents within four business days of determining the incident’s materiality.

As the former chief security officer of Facebook and Uber who experienced his own travails dealing with cyberattacks, Sullivan is concerned that the SEC’s rule may result in premature or inadvertently inaccurate disclosures because of the inherent conflict between the chief information security officer’s proper impulse to “pull every fire alarm” at the first hint of a hack and the rapidly evolving, forensically challenging nature of cyber breaches.

Contrary to the SEC’s purpose in promulgating the rule, many of the resulting disclosures may look more like crying wolf and shouting fire in a crowded theater — without much benefit to investors.