U.S. Congressman and Homeland Security Chairman Mark Green (R-TN-07) signed a letter this week urging the Securities and Exchange Commission (SEC) to rethink a new rule on cybersecurity for public companies.
According to the new SEC rule, effective Tuesday, publicly traded corporations must alert the SEC of a cyberattack within four days of the event. A company’s strategies and procedures for managing cybersecurity risk must also be disclosed on a regular basis, among other requirements.
Green, along with Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY-02) and Congressman Zach Nunn (R-IA-03), sent a letter to SEC Chair Gary Gensler claiming that the rules are redundant and will burden public firms with more red tape. Additionally, they claim that the regulations violate the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and pose the danger of jeopardizing their privacy.
“We write expressing serious concerns over the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rules. While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements. Further, the new rules compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do,” the lawmakers said.
According to the Congressmen, these newly issued SEC rules contradict congressional and administration intent.
“The passage of CIRCIA proved that cyber regulatory harmonization is a bipartisan priority in Congress, and the Administration itself has emphasized it as well. In the recent National Cybersecurity Strategy and accompanying Implementation Plan, the Administration highlights the importance of harmonizing cyber regulations across the government as well as harmonizing incident reporting requirements, specifically. The former challenge is given to the Office of the National Cyber Director to implement, while the latter is given to the congressionally-created Council. It is clear that these recently issued SEC rules run contrary to both congressional and Administration intent,” the lawmakers said.
The Republicans call on the SEC to develop the regulation with the Department of Homeland Security’s (DHS) Cyber Incident Reporting Council. In addition, they ask the SEC to examine how these regulations may influence the CIRCIA, other federal cyber incident reporting requirements, and future disclosure plans.
“Given the potentially harmful consequences of the final rule, we urge the SEC to delay the rule until the SEC works with the Council to determine how the rule interacts with CIRCIA and other Federal prudential regulators’ cybersecurity incident reporting requirements. Furthermore, we call on the SEC to conduct a complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals before this final rule goes into effect. Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” the lawmakers said.
According to Green, these new rules only increase cybersecurity risks.
“We have laws in place to protect our homeland and infrastructure from cyber-attacks. SEC’s public disclosure requirements will only increase cybersecurity risk,” Green said.
The Tennesee Star reached out to Green and SEC for comment but did not receive a reply before press time.
– – –
Hannah Poling is a lead reporter at The Ohio Star, The Star News Network, and The Tennessee Star. Follow Hannah on Twitter @HannahPoling1. Email tips to [email protected]
Background Photo “SEC Building” by AgnosticPreachersKid. CC BY-SA 3.0.
