House GOP members blast new SEC cyber incident disclosure rules

Republican leaders from the House Committee on Homeland Security criticized the Securities and Exchange Commission’s (SEC) recently unveiled cyber incident disclosure rules as duplicative, a headache for public companies, and potentially a confidentiality risk.

The members behind a letter sent to the agency on Friday, including Chairman Mark Green (R-TN) and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY), told SEC Chair Gary Gensler the agency’s new cybersecurity incident disclosure rules conflict with the congressionally-mandated, bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The letter was made public Tuesday evening.

Under the new SEC rules, companies must give the agency details of a given cybersecurity incident’s “nature, scope, and timing” and provide information about its potential impact. Companies will be required to determine if an incident is “material” and disclose it to the SEC within four business days if it meets that threshold.

In Friday’s letter, the Republican members argue the SEC should work with the Department of Homeland Security Cyber Incident Reporting Council and provide SEC analysis on how its new rule meshes with CIRCIA as well as other federal cyber incident reporting rules.

“While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements,” the members’ letter states.

The letter also argues that the SEC’s new rules “compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do.”

Some leaders in the investment community praised the SEC’s proposal when it was announced, however.

Credit ratings firm Moody’s issued a statement praising the new rules for injecting “more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability.”

The statement from Moody’s Investors Service Senior Vice President Lesley Ritter went on to say the SEC’s demand for increased disclosure will allow public companies to “compare practices and may spur improvements in cyber defenses” by motivating companies with higher cyber risk to fix problems.

The Republicans behind Friday’s letter, however, called out major contradictions between the SEC’s new rules and CIRCIA as well as the recently unveiled National Cybersecurity Strategy’s vision.

The letter argues that CIRCIA’s passage proves that cyber regulatory harmonization is a bipartisan priority in both Congress and the Biden administration, as evidenced in the recently unveiled strategy.

“It is clear that these recently issued SEC rules run contrary to both congressional and Administration intent,” the letter said.

Citing the “potentially harmful consequences” of the rule, the letter also asks the SEC to complete an “internal analysis.”

“Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” the letter said.