News

Republican lawmakers oppose SEC cybersecurity rules

A group of Republican lawmakers sent a letter this week to Securities and Exchange Commission (SEC) Chair Gary Gensler criticizing the agency’s new cybersecurity rules for public companies.

The rule, which took effect Sept. 5, requires publicly traded companies to notify the SEC of a cyberattack within four days of the incident. It also, among other provisions, requires periodic disclosure of a company’s policies and procedures to manage cybersecurity risk.

The letter — authored by U.S. Reps. Mark Green (R-TN), chair of the House Committee on Homeland Security; Andrew Garbarino (R-NY), chair of the House Subcommittee on Cybersecurity and Infrastructure Protection; and Zach Nunn (R-IA) – said the rules are duplicative and will create additional bureaucracy for public companies.

They also contend that the rules will risk compromising their confidentiality and run contrary to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

“We write expressing serious concerns over the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rules. While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements. Further, the new rules compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do,” the lawmakers wrote to the SEC chair.

The lawmakers urge the SEC to work with the Department of Homeland Security (DHS) Cyber Incident Reporting Council on the rule. They also request an analysis by the SEC of how these rules will interact with CIRCIA, affect other federal cyber incident reporting requirements, and impact the SEC’s additional disclosure proposals.

“Given the potentially harmful consequences of the final rule, we urge the SEC to delay the rule until the SEC works with the Council to determine how the rule interacts with CIRCIA and other Federal prudential regulators’ cybersecurity incident reporting requirements. Furthermore, we call on the SEC to conduct a complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals before this final rule goes into effect. Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” they added.

Dave Kovaleski

Recent Posts

U.S. Army orders 48 additional Armored Multi-Purpose Vehicles under BAE contract

The U.S. Army recently submitted a $184 million contract modification to BAE Systems, a London-based…

19 hours ago

Sen. Peters asks DOD Inspector General to add oversight to PFAS remediation efforts in Michigan

On Wednesday, U.S. Sen. Gary Peters (D-MI) asked the U.S. Department of Defense’s Office of…

19 hours ago

DHS Science and Technology Directorate awards $789,280 in contracts

The Department of Homeland Security Science and Technology Directorate (S&T) recently announced four contract awards,…

2 days ago

Alien sexual offenders would be deported under pending federal legislation

The recent introduction of a bipartisan, bicameral bill in Congress would amend the Immigration and…

2 days ago

U.S. DOD awards research grants to nearly 100 HBCUs, minority-serving institutions

On Monday, the U.S. Department of Defense announced it had awarded more than $50 million…

3 days ago

Northrop Grumman introduces artificial intelligence system

Virginia-based Northrop Grumman Corp., a leading global aerospace and defense technology company, recently introduced the…

3 days ago

This website uses cookies.