Republican lawmakers oppose SEC cybersecurity rules

A group of Republican lawmakers sent a letter this week to Securities and Exchange Commission (SEC) Chair Gary Gensler criticizing the agency’s new cybersecurity rules for public companies.

The rule, which took effect Sept. 5, requires publicly traded companies to notify the SEC of a cyberattack within four days of the incident. It also, among other provisions, requires periodic disclosure of a company’s policies and procedures to manage cybersecurity risk.

The letter — authored by U.S. Reps. Mark Green (R-TN), chair of the House Committee on Homeland Security; Andrew Garbarino (R-NY), chair of the House Subcommittee on Cybersecurity and Infrastructure Protection; and Zach Nunn (R-IA) – said the rules are duplicative and will create additional bureaucracy for public companies.

They also contend that the rules will risk compromising their confidentiality and run contrary to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

“We write expressing serious concerns over the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rules. While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements. Further, the new rules compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do,” the lawmakers wrote to the SEC chair.

The lawmakers urge the SEC to work with the Department of Homeland Security (DHS) Cyber Incident Reporting Council on the rule. They also request an analysis by the SEC of how these rules will interact with CIRCIA, affect other federal cyber incident reporting requirements, and impact the SEC’s additional disclosure proposals.

“Given the potentially harmful consequences of the final rule, we urge the SEC to delay the rule until the SEC works with the Council to determine how the rule interacts with CIRCIA and other Federal prudential regulators’ cybersecurity incident reporting requirements. Furthermore, we call on the SEC to conduct a complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals before this final rule goes into effect. Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” they added.

Dave Kovaleski

Recent Posts

Congress advances TRANQ Research Act in bid to understand, counter synthetic opioids

Opioids have remained a major focus for Congress in recent years, given the scope of…

21 hours ago

FEMA’s 12th annual National Preparedness Report reveals challenges of rising costs, climate change-related disasters

Climate change is causing increased frequency and severity of disasters across the country, leading to…

21 hours ago

GAO warns some federal agencies fail to meet requirements for cybersecurity incident response

Over the years, federal agencies worked to improve their abilities to detect, analyze and handle…

2 days ago

RTX wins $8M DARPA contract to improve Department of Defense supply chain resilience

The Defense Advanced Research Projects Agency (DARPA) awarded an $8 million contract to address systemic…

2 days ago

U.S. Senate Republicans press Biden administration for details on Iran sanctions waiver

Led by U.S. Sen. Tim Scott (R-SC), a group of 25 Republican senators wrote to…

3 days ago

U.S. Senate bill proposes increased foreign gift reporting requirements among academia

A group of seven U.S. senators introduced the Defending Education Transparency and Ending Rogue Regimes…

3 days ago

This website uses cookies.