The U.S. Securities and Exchange Commission’s cybersecurity rules, which take effect next month, present companies with the double challenge of determining which cyber breaches are material and reporting them within four business days.

It also requires publicly held companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats.

“The rules laid out by the SEC have really put this particular issue front and center,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber liability practice.

“A lot of people are concerned it will lead to lawsuits,” said Arturo Perez-Reyes, senior vice president and cyber strategist at San Francisco-based Newfront Insurance.

“There are many companies that are not prepared to support or comply with those rules because they have not taken cybersecurity very seriously,” said Bhavesh Vadhani, Tysons, Virginia-based cybersecurity, technology risk and privacy practice global leader for CohnReznick LLP, an accounting, tax and advisory firm.

They are now evaluating “what they have in place in terms of cyber disclosures and reporting programs and enhancing that,” he said.

Pankaj Goyal, chief operating officer of Palo Alto, California-based Safe Security, said, “Different companies are at different points” in their cybersecurity maturity, with some, such as financial institutions, more mature. 

The four-day requirement does not give companies a lot of time, Mr. Farley said. “You really need to coordinate several different stakeholders within your organization,” including the risk manager, chief information security officer, general counsel, communications and investor relations.

The more specific disclosure timetable “means there is a heightened pressure to understand what happened” and determine issues of materiality as quickly as possible, said Alexander H. Southwell, a partner with Gibson Dunn & Crutcher LLP in New York. It “heightens boards’ interest,” he said.

“What constitutes materiality is really taking up a lot of brain space,” said Britt Eilhardt, New York-based managing director, cyber, for Brown & Brown Inc. “It may look very different from one company to the next as to what constitutes materiality.”

“The first point of contact is the risk manager coordinating with other practice groups to determine materiality,” she said. “Companies are running materiality tabletops” similar to what they do with cyber incidents, she said.

Samantha Levine, Denver-based senior vice president, professional and cyber solutions, at CAC Specialty, an affiliate of brokerage Cobbs Allen, said the issue will be resolved through a combination of “either case law or more defining terms from the SEC as to what they are going to consider to be material.”