Easterly: SEC vs. CIRCIA a ‘recipe for dysfunction’ after private sector complaints

Private sector companies have told the federal agency for cybersecurity that they are confused about how to abide by two relatively new cyber incident reporting rules.

In one of her final appearances as director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly spoke at a think tank event on Wednesday about a range of cyber issues related to China, workforce training and more.

Easterly said private sector companies have come to her with issues about how to balance the U.S. Securities and Exchange Commission’s cyber incident reporting regime against the upcoming incident reporting rules under the Cyber Incident Reporting for Critical Infrastructure Act, also known as CIRCIA.

While the SEC rule is meant to notify shareholders of cyber incidents and CIRCIA is meant for critical infrastructure organizations to report incidents to the federal government, Easterly explained that there is significant confusion among companies trying to follow both rules.

“It's confusing to the private sector critical infrastructure owners and operators to say, ‘Well, I'm told I need to report to the SEC within this period of time if I have a significant cyber incident, but you have to report to CISA if you have a significant cyber incident in this period of time.’ And the language might be slightly different,” she said. 

“That is just a recipe for dysfunction, frankly, to have both of those regimes in play. CIRCIA is required by law. It's a congressional law. I don't know what will happen when we have a new SEC Commissioner. They may or may not continue with that requirement again. They're for two different purposes.”

She noted that CIRCIA’s reports are not public and will only be seen by CISA and law enforcement agencies like the FBI. The goal of the rule is to help victims of cyberattacks and potentially warn the wider critical infrastructure ecosystem in the event of a larger campaign, Easterly said. 

She called CIRCIA a “cyber neighborhood watch” that would allow critical infrastructure companies to “know if your neighbor got broken into to help protect your house.”

“That's really what that's about, the collective cyberdefense of the nation, and that's the intent of Congress,” she said.

All under ONCD?

Easterly spoke at length about the need for the harmonization of cyber rules beyond CIRCIA and the SEC regimes, noting that the rail, oil, gas and aviation industries also have their own incident reporting guidelines. 

“I would like to see all of that harmonized … because some of these lesser-resourced entities can't do hundreds of things. I would like to see that normalized across all sectors and housed within one entity. I think the [Office of the] National Cyber Director would be a good place,” she said. 

“I know there's legislation being worked on but simplicity is your friend. Complexity prevails against operational risk reduction, and so simplicity can really help with that.”

She added that the different rules are “burdensome and confusing to the private sector” — necessitating a streamlining effort that “could actually make things more effective for the private sector to be able to work with the government.”

The SEC incident reporting rule has faced criticism from members of Congress, private industry and even other federal agencies for a variety of reasons that include the sentiment shared by Easterly on Wednesday. 

Since the rule fully took effect at the end of 2023 there have been attempts by the chairman of the House subcommittee on cybersecurity to have it rescinded, with several officials expressing concern that the SEC was ill-suited to handle cybersecurity issues compared to agencies like CISA.

The SEC has argued that its rule is necessary to inform customers and investors of critical issues. SEC officials have pointed to several instances where companies have allegedly withheld critical information from the public in an effort to protect a business’ financial position.

Had a BLAST talking with my friend @MarkCMontgomery about the evolving cyber threats & how @CISAgov is tackling them with public & private sector partners. While bittersweet (this was my last public event), I take immense pride in the work CISA does to keep our nation safe. pic.twitter.com/djTWC3dbgx

— Jen Easterly (@CISAJen) January 15, 2025