SEC official defends new cyber disclosure rule that some lawmakers seek to overturn

A top U.S. Securities and Exchange Commission (SEC) official on Wednesday defended the agency’s new cybersecurity disclosure rule in the face of withering criticism from industry groups and Republicans in Congress.

While Erik Gerding, the director of the division of corporation finance at the SEC, was not asked directly about a new congressional effort to overturn the rule, he did tell an interviewer at the Aspen Cyber Summit that the SEC pushed forward the rule in part because the agency was concerned about the underreporting of cybersecurity incidents by public companies. The rule is set to go into effect next month.

On Tuesday, Capitol Hill Republicans announced they plan to use a rare — and rarely successful — congressional procedure known as the Congressional Review Act to try to overturn the SEC requirement. Rep. Andrew Garbarino (R-NY) called the rule a “complete overreach.”

The rule will require public companies to disclose cybersecurity incidents within four business days of determining they are material, with an exception for events that the U.S. attorney general determines could pose a national security risk if made public. At a separate panel, the assistant director of the FBI's Cyber Division, Bryan Vorndran, said the Department of Justice will "provide public-facing guidance in the next month” about how companies can ask permission to delay cyber incident disclosure under the new SEC rule.

Industry groups have argued that it is unclear what constitutes a material event, but Gerding suggested it is a basic judgment call based on “what a reasonable investor would consider to be significant.”

He said the SEC definition of materiality in the rule “builds right off of a Supreme Court decision.”

Investors deserve prompt information on cyber incidents, Gerding said, calling them "very similar to other kinds of risks companies face" such as equipment burning down or interest rate movements.

Gerding added that the SEC is not “trying to prescribe what is or is not good risk management.” Instead, he said, the agency wants to let investors make the decision for themselves, armed with the right information.

Much of the criticism around the new rule centers on the idea that disclosure will help cyber criminals, but Gerding waved that off.

“What we’re not looking for is technological details that give bad actors … a road map to pierce” a given company’s cyber defenses, he said.

The SEC is proposing the rule, he said, to help “investors understand whether companies are adequately winning [the] arms race” against cyber criminals.