Hello. It was clear to me as I talked to people at the FAIR Institute's conference of risk and cyber professionals in Washington, D.C., this week that corporate security chiefs are wary of their new responsibilities to help their companies comply with the Securities and Exchange Commission's cyber disclosure rules.

The most angst-inducing part of the rules, which come into force in December, is the requirement to report an incident within four days of deeming it material to the business. Such a disclosure should describe what makes the attack material. 

David Hirsch, chief of the crypto asset and cyber unit in the SEC's enforcement division and who is responsible for enforcing the rules, offered some enlightening views on preparing for the new rules, in a panel discussion I moderated at the conference.  Scroll down for his perspective on key points. 

More news: 

• Personal details about energy industry workers accessed
• Disinformation deadlines for Meta, TikTok
• MGM Resorts board member speaks out on paying ransoms
• Saying 'no' to generative AI

Disinformation deadlines: Facebook parent Meta Platforms and ByteDance's TikTok have one week to supply details to the European Union about how they are fighting disinformation on their services. The directive from the bloc, issued Thursday, includes how the companies are handling violent content and hate speech after the Hamas attack on Israel on Oct. 7. The EU gave the companies until Nov. 8 to provide information about how they are protecting the integrity of elections. (Reuters) 

Simpson Manufacturing expects no material impact from cyberattack. The Pleasanton, Calif.-based company said an intrusion detected Oct. 10 that disrupted business operations for three days isn't expected to have material effects on its financial condition. The full cost of the incident hasn't yet been determined, Simpson said Thursday in an SEC filing.  

Battling the biggest cyber threats: The Cybersecurity and Infrastructure Security Agency updated its "#StopRansomware Guide" with new information about hardening web browsers and watching for data exfiltration, among other items.

• CISA, along with other U.S. and state officials, also published a guide on phishing campaigns that includes recommendations for prevention and response.

Some chief information security officers are worried about how to help their companies comply with the SEC's cyber rules, which call for disclosing an attack within four days of determining it is material.

Concerns include: Does a materiality call fall mainly to the CISO? What if a disclosure turns out to be wrong? Will the act of disclosing trigger a material event, such as a stock sell-off?

David Hirsch, chief of the crypto asset and cyber unit in the SEC's enforcement division, gave his views to a gathering of risk and cyber professionals hosted by the FAIR Institute, a nonprofit focused on risk management. Here are excerpts:

On preparing to comply:

"Coming up with plans in advance, testing the efficacy of those plans, being mindful of how you think about materiality both in terms of qualitative and quantitative—I think those are the sorts of processes that will lead to better results."

On being wrong: 

"I don’t think there’s an expectation on the part of regulators that anyone’s going to have perfect visibility and a perfect explanation for what occurred and the potential consequences of it within four days. I think it is contemplated that it’s an iterative process where the company should go out, explain that it was a material event and talk some about the potential consequences of that. But if later, in good faith, they develop additional information that contradicts what they thought they knew before or adds significant color to what they previously told their investors, there’s an opportunity and expectation that there will be a further disclosure to bring the investors into the tent [on] what has happened and what is the potential impact that may have for their investing decisions."

On normalizing cyber disclosure:

"My hope is that by companies more frequently filing 8-Ks and the fact of breaches becoming something that is routinely reported, that it becomes less stigmatized and becomes less significant in the minds of investors. Not that it will never impact stock price but that, hopefully, if this is just one in a stream of incidents that everybody is potentially vulnerable to, there’s less individual-entity impact from any individual cyber-event disclosure."

—Kim S. Nash

• The U.S. warns businesses about Iranian attempts to acquire goods—including circuit boards, aluminum tubes and gyroscopes—that could support its ballistic missile program.
• A Houston bankruptcy judge resigned under a misconduct investigation.
• Judgment-preservation insurance will guarantee software firm Appian a $500 million award, despite a potentially lengthy appeal.
• Ransomware attacks are increasing, and insurance claims after such attacks are rising too.

• Private-equity firm Springcoast Capital Partners has amassed more than $500 million so far for its debut commingled fund and a related investment vehicle, WSJ reported. Springcoast thus far has built a portfolio of five companies, although its investment professionals have backed more than 20 over their careers, according to the firm. Among them are cybersecurity and governance companies Deepwatch, Acronis and Egnyte. 

• Harmonic Security, based in London and San Francisco, secured $7 million in seed funding to work on tools for securing generative AI projects. Ten Eleven Ventures led the investment. 

• Australian startup CipherStash raised $3 million in seed funding led by Skip Capital. CipherStash is building technology to let data analysts query encrypted data and identify unauthorized attempts to access the data. (SecurityWeek)

The WSJ Pro Cybersecurity team is Deputy Editor Kim S. Nash (on X @knash99), reporter James Rundle and reporter Catherine Stupp (@catstupp). Follow us on X @WSJCyber. Reach the team by replying to any newsletter you receive or by emailing Kim at kim.nash@wsj.com.