U.S. Reps. Mark Green (R-TN), Andrew Garbarino (R-NY), and Zach Nunn (R-IA) are urging the Securities and Exchange Commission (SEC) to rethink a new rule on cybersecurity for public companies.
The rule, which took effect Sept. 5, requires publicly traded companies to notify the SEC of a cyberattack within four days of the incident. It also requires periodic disclosure of a company’s policies and procedures to manage cybersecurity risk, among other provisions.
The lawmakers said the rules are duplicative and will create additional bureaucracy for public companies. They also contend that the rules will risk compromising their confidentiality and run contrary to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
“We write expressing serious concerns over the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rules. While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements. Further, the new rules compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do,” the lawmakers wrote in a letter to the SEC Chair Gary Gensler.
Green is the chair of the House Committee on Homeland Security while Garbarino runs the House Subcommittee on Cybersecurity and Infrastructure Protection.
“Given the potentially harmful consequences of the final rule, we urge the SEC to delay the rule until the SEC works with the Council to determine how the rule interacts with CIRCIA and other Federal prudential regulators’ cybersecurity incident reporting requirements. Furthermore, we call on the SEC to conduct a complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals before this final rule goes into effect. Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” they added.
The Republicans are urging the SEC to work with the Department of Homeland Security (DHS) Cyber Incident Reporting Council on the rule. They also request an analysis by the SEC of how these rules will interact with CIRCIA, affect other federal cyber incident reporting requirements, and impact the SEC’s additional disclosure proposals.