Chairman of House cybersecurity panel wants to overturn SEC disclosure rules

The chairman of the House subcommittee on cybersecurity has proposed legislation that would overturn a controversial rule set to come into effect next month mandating that companies disclose cybersecurity incidents.

The legislation from Rep. Andrew Garbarino (R-NY) would block the Securities and Exchange Commission (SEC) from requiring companies that it regulates to quickly disclose “material” cybersecurity incidents and share the details of their cybersecurity risk management, strategy, and governance with the commission on an annual basis.

The SEC approved new rules in June and they immediately drew backlash from companies and lawmakers who questioned the meaning of “material” and wondered whether the regulations would conflict with future incident reporting measures.

Garbarino — chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection — introduced his measure Tuesday. Sen. Thom Tillis (R-NC) offered a companion measure in that chamber. The proposal falls under the authority of the Congressional Review Act, a law that allows Congress to reject regulations issued by agencies.

The SEC declined to comment to Recorded Future News on the proposal.

Garbarino has argued that CISA should be the lead agency behind any incident reporting effort instead of the SEC.

“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities,” Garbarino said in a statement.

“Congress has been clear in its intent to harmonize federal incident reporting requirements, a position that the Biden Administration has emphasized as well.”

Garbarino called the rules “duplicative” that “not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland.”

Garbarino said the focus should be on the incident reporting rule passed by Congress last year that will come into effect next year. The lawmaker pressed SEC Chairman Gary Gensler about the issue repeatedly at a hearing in September.

Tillis reiterated Garbarino’s comments, saying the rule was “overreaching” and created “unrealistic timelines and unnecessary red tape.”

The SEC has argued that its rule is necessary to inform customers and investors of critical issues. SEC officials have pointed to several instances where companies have allegedly withheld critical information from the public in an effort to protect a businesses financial position — most notably its current case against technology company SolarWinds.

The Atlantic Council’s Cyber Statecraft Initiative released a report in June backing the SEC rules, arguing that most complaints could be addressed through slight amendments and that the measures would help investors make decisions while creating “publicly accessible and standardized data about cyber incidents.”

Industry support

Garbarino’s office shared messages from business leaders and industry groups, including the U.S. Chamber of Commerce, that slammed the SEC rule for forcing companies to disclose information before issues can be resolved.

Christopher Roberti, a senior vice president at the Chamber, said reporting cybersecurity incidents could “interfere with the efforts by law enforcement and intelligence agencies to stop attackers.”

A representative from the American Bankers Association (ABA) added that most banks already have to report hacks to other regulators and notify customers of stolen data.

“The SEC’s rule could actually make things worse by publicly identifying the business that’s been hacked and inviting other bad actors to target the same business,” said Kirsten Sutton, executive vice president at the ABA.

Companies have to report issues to the SEC in 8-K filings within four business days unless the U.S. attorney general determines that disclosure would threaten national security or public safety.

CIRCIA on the way

The Cybersecurity and Infrastructure Security Agency (CISA) is currently in the process of sketching out the fine points of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — which would govern critical infrastructure organizations.

Under CIRCIA, organizations would have 72 hours to report incidents. Part of CIRCIA also involves a council at the Department of Homeland Security that is working to harmonize the rules with other incident reporting measures that are currently in effect.