As a controversial Security and Exchange Commission breach-disclosure rule inches closer to reality, some lawmakers are stepping up efforts to stymie the regulation. Meanwhile, one criminal group is attempting to weaponize the disclosure rule and earlier this month filed a SEC complaint that one of its victims failed to disclose a breach it was behind.
The most recent effort to derail the rule includes a joint resolution filed this month to Congress by a group of lawmakers that argue the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule will conflict with existing regulations and overburden cybersecurity professionals.
The disclosure requirements, designed to standardize breach reporting and increase transparency for investors, go into effect on Dec. 18. The rule requires a breached company to report a cyberattack within four days of the incident.
Rep. Andrew Garbarino, R-N.Y., and Sen. Thom Tillis, R-N.C., are sponsoring the proposal to void the rule and say the SEC’s new breach requirement conflicts with existing regulations and overburdens cybersecurity professionals.
The bill goes by House Joint Resolution 100 and in the Senate as Senate Joint Resolution 50. Both bills are brief, stating that the SEC’s final rule published Aug. 4, “shall have no force or effect.” The joint resolution was introduced on Nov. 9 and is co-sponsored by four other Republicans — three representatives and one senator.
“The cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” Garbarino said in a statement.
The representative argued that the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed by Congress and signed into law by President Joe Biden in March 2022, already sets forth appropriate regulations for cyber incident reporting.
“Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessarily reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino stated.
CIRCIA requires organizations in certain critical infrastructure sectors — such as healthcare and communications — to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Meanwhile, the new SEC rules add a new Item 1.05 to Form 8-K, requiring disclosure of material cyber incidents to the SEC within four business days.
Difference between CIRCIA and new disclosure rule
A major difference between these regulations is that reports to CISA remain confidential and are only circulated within the federal government, while disclosures on Form 8-K are made public to notify investors. Additionally, CIRCIA is mainly aimed at bolstering the government’s response to cyberattacks targeting critical infrastructure, while the SEC rules are designed to keep investors informed about major cyber incidents.
Upon the SEC’s adoption of the final rule on July 26, SEC Chair Gary Gensler released a statement saying, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors … Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Concern about a double burden on cybersecurity teams due to the disclosure requirements of both CIRCIA and Item 1.05 predates the latter’s adoption. The published SEC final rule notes several letters submitted during the public comment period that raised the issue of potential conflicts between the two regulations. The SEC highlighted the differences between the two regulations and disagreed that CIRCIA should be the sole rule on reporting cybersecurity incidents.
“Disclosure to investors is a central pillar of the Federal securities laws,” the rule states, citing the Securities Act of 1933.
When contacted by SC Media, the SEC declined to comment on the proposed joint resolution to overturn the final rule.
Cybersecurity experts weigh in on disclosure deadline
Ransomware gang ALPHV/BlackCat renewed attention to the SEC rule on Wednesday when it reported MeridianLink for alleged failure to disclose a breach the gang says it committed. While the four-day disclosure deadline cited by the gang is not yet in effect, and MeridianLink denied data was stolen in the incident, some cybersecurity professionals are concerned about threat actors using the rule to their advantage.
The Informational Technology Industry Council (ITI), a trade organization that represents Google, Apple, Meta, Intel and dozens more companies in the ICT sector, submitted a public comment in May 2023 raising concerns about the new SEC rule. ITI Senior Vice President for Policy and General Counsel John Miller said in a statement to SC Media on Friday that lawmakers’ calls to reverse the rule reflect these ongoing concerns, including the danger of making unresolved cyber incidents public.
“While we share the SEC’s stated goal to protect investors, the recent actions of a hacker group underscore the potential unintended consequences of a rule that publicizes companies who have already been victimized by malicious actors,” Miller said.
Morgan Wright, chief security advisor at SentinelOne, also worried that bad actors could seize opportunities to exploit regulatory barriers. Commenting on the joint resolution, Wright told SC Media he agreed with lawmakers that the SEC rule is “wholly unnecessary” and promotes overregulation that will confuse and weaken security teams
“Companies covered under the SEC rule need to spend their time defending their endpoints and networks instead of trying to figure out which regulation to follow and if the law supersedes the regulation,” Wright said.
SC Media also spoke with Adam Wisnieski, strategy and risk management leader at Optiv. Wisnieski explained how plans to reverse the new SEC rule could backfire. He points out how the strict deadlines have led more companies to improve their cybersecurity hygiene and take security more seriously.
“To roll this back at such a late date could generate confusion on requirements as well as lead to future inaction if such mandates can be easily overturned without coordination,” Wisnieski said.
GovTrack.us, a website that uses a logistic regression model to compute a bill’s likelihood of success, predicts that H.J.Res.100/S.J.Res.50 has an 8% chance of being enacted. The joint resolution relies on the Congressional Review Act (CRA), which gives Congress the power to overturn rules set by federal agencies. Since its passage in 1996, the CRA has been used to reverse a total of 20 rules as of February 2023, according to the Congressional Research Service.