Ed McNicholas Discusses Challenges for Corporation as SEC’s Cybersecurity-disclosure Rules Go Live

In The News
December 7, 2023

The U.S. Securities and Exchange Commission rules take effect on December 18, requiring companies to make prompt disclosure of material cyberattacks and annual reports about cyber risks and vulnerabilities.

In an article for Corporate Counsel, data, privacy & cybersecurity co-head Ed McNicholas said the rules could push companies to over disclose or include inaccurate information about a breach, all in the interest of being proactive to avoid stiff penalties. 

“I think the SEC’s efforts are well-intentioned in trying to get more information out to investors, but the SEC lacks the experience with cybersecurity events in large companies to do this effectively at this point,” Ed said.

“Complicated data breaches often have significant dwell time when attackers are in the network moving around and conducting reconnaissance and then start to do small exploitations while remaining extremely stealthy,” Ed added. “In this kind of spy-versus-spy environment it’s very difficult to say at what point you have a material issue.”

“I look at it as pieces in a mosaic. At some point, the whole mosaic might be material, but it’s going to be very complicated for a company to assess, if they have five pieces of this mosaic, whether it is material now,” said Ed.