“It is unfathomable that the SEC is moving forward with its public disclosure requirements, which will only increase cybersecurity risk”

WASHINGTON, D.C. — House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) were joined by Congressman Zach Nunn (R-IA) on a letter to Securities and Exchange Commission (SEC) Chair Gary Gensler, which sounded off on the agency’s duplicative new cyber rules that increase bureaucratic burden for public companies, risk compromising their confidentiality, and run contrary to the congressionally-mandated, bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). In the letter, the Members urge the SEC to work with the Department of Homeland Security (DHS) Cyber Incident Reporting Council and request an analysis by the SEC of how these rules will interact with CIRCIA, affect other federal cyber incident reporting requirements, and impact the SEC’s additional disclosure proposals.

Read more in The Washington Post’s Cybersecurity 202.

In the letter, the Members state, “We write expressing serious concerns over the Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rules. While the SEC’s intent may be to standardize disclosures regarding cybersecurity governance and incident reporting by public companies, these new expansive disclosure requirements for public companies will do just the opposite by duplicating and confusing existing cyber incident reporting requirements. Further, the new rules compromise the confidentiality of a company’s cybersecurity program, thus harming investors instead of protecting them as the rules purport to do.”

The Members continue, “The passage of CIRCIA proved that cyber regulatory harmonization is a bipartisan priority in Congress, and the Administration itself has emphasized it as well. In the recent National Cybersecurity Strategy and accompanying Implementation Plan, the Administration highlights the importance of harmonizing cyber regulations across the government as well as harmonizing incident reporting requirements, specifically. The former challenge is given to the Office of the National Cyber Director to implement, while the latter is given to the congressionally-created Council. It is clear that these recently issued SEC rules run contrary to both congressional and Administration intent.”

The Members conclude, “Given the potentially harmful consequences of the final rule, we urge the SEC to delay the rule until the SEC works with the Council to determine how the rule interacts with CIRCIA and other Federal prudential regulators’ cybersecurity incident reporting requirements. Furthermore, we call on the SEC to conduct a complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals before this final rule goes into effect. Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure.”

Read the full letter here.

###