A group of Republican lawmakers sent a letter this week to Securities and Exchange Commission (SEC) Chair Gary Gensler criticizing the agency’s new cybersecurity rules for public companies.
The rule, which took effect Sept. 5, requires publicly traded companies to notify the SEC of a cyberattack within four days of the incident. It also, among other provisions, requires periodic disclosure of a company’s policies and procedures to manage cybersecurity risk.
The letter — authored by U.S. Reps. Mark Green (R-TN), chair of the House Committee on Homeland Security; Andrew Garbarino (R-NY), chair of the House Subcommittee on Cybersecurity and Infrastructure Protection; and Zach Nunn (R-IA) – said the rules are duplicative and will create additional bureaucracy for public companies.
They also contend that the rules will risk compromising their confidentiality and run contrary to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
“We write expressing serious concerns over the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rules. While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements. Further, the new rules compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do,” the lawmakers wrote to the SEC chair.
The lawmakers urge the SEC to work with the Department of Homeland Security (DHS) Cyber Incident Reporting Council on the rule. They also request an analysis by the SEC of how these rules will interact with CIRCIA, affect other federal cyber incident reporting requirements, and impact the SEC’s additional disclosure proposals.
“Given the potentially harmful consequences of the final rule, we urge the SEC to delay the rule until the SEC works with the Council to determine how the rule interacts with CIRCIA and other Federal prudential regulators’ cybersecurity incident reporting requirements. Furthermore, we call on the SEC to conduct a complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals before this final rule goes into effect. Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” they added.